diff --git a/modules-minimum.conf b/modules-minimum.conf
index d1bb917..d3b08ab 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1274,14 +1274,6 @@ publicfile = module
pulseaudio = module
# Layer: services
-# Module: pyzor
-#
-# Spam Blocker
-#
-pyzor = module
-
-
-# Layer: services
# Module: qmail
#
# Policy for qmail
@@ -1323,13 +1315,6 @@ radius = module
#
radvd = module
-# Layer: services
-# Module: razor
-#
-# A distributed, collaborative, spam detection and filtering network.
-#
-razor = module
-
# Layer: admin
# Module: readahead
#
diff --git a/modules-mls.conf b/modules-mls.conf
index b99b28a..d2bbca4 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1191,13 +1191,6 @@ publicfile = module
pulseaudio = module
# Layer: services
-# Module: pyzor
-#
-# Spam Blocker
-#
-pyzor = module
-
-# Layer: services
# Module: qmail
#
# Policy for qmail
@@ -1239,13 +1232,6 @@ radius = module
#
radvd = module
-# Layer: services
-# Module: razor
-#
-# A distributed, collaborative, spam detection and filtering network.
-#
-razor = module
-
# Layer: admin
# Module: readahead
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index d1bb917..d3b08ab 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1274,14 +1274,6 @@ publicfile = module
pulseaudio = module
# Layer: services
-# Module: pyzor
-#
-# Spam Blocker
-#
-pyzor = module
-
-
-# Layer: services
# Module: qmail
#
# Policy for qmail
@@ -1323,13 +1315,6 @@ radius = module
#
radvd = module
-# Layer: services
-# Module: razor
-#
-# A distributed, collaborative, spam detection and filtering network.
-#
-razor = module
-
# Layer: admin
# Module: readahead
#
diff --git a/policy-F14.patch b/policy-F14.patch
index 5eefd78..bb9a0b2 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.8.8/Makefile
--- nsaserefpolicy/Makefile 2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/Makefile 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/Makefile 2010-07-30 14:06:53.000000000 -0400
@@ -244,7 +244,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
@@ -12,7 +12,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.8.8/M
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/git_selinux.8 serefpolicy-3.8.8/man/man8/git_selinux.8
--- nsaserefpolicy/man/man8/git_selinux.8 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/man/man8/git_selinux.8 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/man/man8/git_selinux.8 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,109 @@
+.TH "git_selinux" "8" "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation"
+.de EX
@@ -125,7 +125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/git_selinux.8 seref
+selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/constraints serefpolicy-3.8.8/policy/constraints
--- nsaserefpolicy/policy/constraints 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.8.8/policy/constraints 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/constraints 2010-07-30 14:06:53.000000000 -0400
@@ -1,4 +1,3 @@
-
#
@@ -199,7 +199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/constraints serefpoli
undefine(`basic_ubac_conditions')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.8.8/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/global_tunables 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/global_tunables 2010-07-30 14:06:53.000000000 -0400
@@ -61,15 +61,6 @@
## <desc>
@@ -237,7 +237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.8.8/policy/mcs
--- nsaserefpolicy/policy/mcs 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.8.8/policy/mcs 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/mcs 2010-07-30 14:06:53.000000000 -0400
@@ -86,10 +86,10 @@
(( h1 dom h2 ) and ( l2 eq h2 ));
@@ -253,14 +253,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.8.8
mlsconstrain process { transition dyntransition }
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.fc serefpolicy-3.8.8/policy/modules/admin/accountsd.fc
--- nsaserefpolicy/policy/modules/admin/accountsd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/accountsd.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/accountsd.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,3 @@
+/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
+
+/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.if serefpolicy-3.8.8/policy/modules/admin/accountsd.if
--- nsaserefpolicy/policy/modules/admin/accountsd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/accountsd.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/accountsd.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,173 @@
+## <summary>Accountsservice D-Bus interfaces for querying and manipulating user account information.</summary>
+
@@ -437,7 +437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.8.8/policy/modules/admin/accountsd.te
--- nsaserefpolicy/policy/modules/admin/accountsd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/accountsd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/accountsd.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,64 @@
+policy_module(accountsd, 1.0.0)
+
@@ -505,7 +505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.if serefpolicy-3.8.8/policy/modules/admin/acct.if
--- nsaserefpolicy/policy/modules/admin/acct.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/acct.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/acct.if 2010-07-30 14:06:53.000000000 -0400
@@ -25,7 +25,7 @@
## </summary>
## <param name="domain">
@@ -535,7 +535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.if
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.8.8/policy/modules/admin/alsa.fc
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/alsa.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/alsa.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,18 +1,20 @@
-/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
+HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
@@ -570,7 +570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.8.8/policy/modules/admin/alsa.if
--- nsaserefpolicy/policy/modules/admin/alsa.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/alsa.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/alsa.if 2010-07-30 14:06:53.000000000 -0400
@@ -1,8 +1,9 @@
-## <summary>Ainit ALSA configuration tool</summary>
+## <summary>Advanced Linux Sound Architecture.</summary>
@@ -682,7 +682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.8.8/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/alsa.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/alsa.te 2010-07-30 14:06:53.000000000 -0400
@@ -16,6 +16,9 @@
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
@@ -704,7 +704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.8.8/policy/modules/admin/amanda.if
--- nsaserefpolicy/policy/modules/admin/amanda.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/amanda.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/amanda.if 2010-07-30 14:06:53.000000000 -0400
@@ -1,12 +1,13 @@
-## <summary>Automated backup program.</summary>
+## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
@@ -869,7 +869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.8.8/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/anaconda.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/anaconda.te 2010-07-30 14:06:53.000000000 -0400
@@ -28,8 +28,10 @@
logging_send_syslog_msg(anaconda_t)
@@ -892,7 +892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/apt.if serefpolicy-3.8.8/policy/modules/admin/apt.if
--- nsaserefpolicy/policy/modules/admin/apt.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/apt.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/apt.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -967,7 +967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/apt.if
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/backup.if serefpolicy-3.8.8/policy/modules/admin/backup.if
--- nsaserefpolicy/policy/modules/admin/backup.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/backup.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/backup.if 2010-07-30 14:06:53.000000000 -0400
@@ -25,7 +25,7 @@
## </summary>
## <param name="domain">
@@ -979,7 +979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/backup.
## <param name="role">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.if serefpolicy-3.8.8/policy/modules/admin/bootloader.if
--- nsaserefpolicy/policy/modules/admin/bootloader.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/bootloader.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/bootloader.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -1034,9 +1034,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloa
## </summary>
## </param>
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.8.8/policy/modules/admin/brctl.if
+--- nsaserefpolicy/policy/modules/admin/brctl.if 2010-07-27 16:06:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/brctl.if 2010-08-10 05:23:35.000000000 -0400
+@@ -17,3 +17,22 @@
+
+ domtrans_pattern($1, brctl_exec_t, brctl_t)
+ ')
++
++#####################################
++## <summary>
++## Execute brctl in the brctl domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`brctl_run',`
++ gen_require(`
++ type brctl_t, brctl_exec_t;
++ ')
++
++ brctl_domtrans($1)
++ role $2 types brctl_t;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.if serefpolicy-3.8.8/policy/modules/admin/certwatch.if
--- nsaserefpolicy/policy/modules/admin/certwatch.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/certwatch.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/certwatch.if 2010-07-30 14:06:53.000000000 -0400
@@ -29,7 +29,7 @@
## </summary>
## <param name="domain">
@@ -1057,7 +1083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat
## <param name="role">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.8.8/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/certwatch.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/certwatch.te 2010-07-30 14:06:53.000000000 -0400
@@ -35,7 +35,7 @@
miscfiles_read_localization(certwatch_t)
@@ -1077,7 +1103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.8.8/policy/modules/admin/consoletype.if
--- nsaserefpolicy/policy/modules/admin/consoletype.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/consoletype.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/consoletype.if 2010-07-30 14:06:53.000000000 -0400
@@ -8,7 +8,7 @@
## </summary>
## <param name="domain">
@@ -1107,7 +1133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
## <rolecap/>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.8.8/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/consoletype.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/consoletype.te 2010-07-30 14:06:53.000000000 -0400
@@ -85,6 +85,7 @@
hal_dontaudit_rw_pipes(consoletype_t)
hal_dontaudit_rw_dgram_sockets(consoletype_t)
@@ -1118,7 +1144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ddcprobe.if serefpolicy-3.8.8/policy/modules/admin/ddcprobe.if
--- nsaserefpolicy/policy/modules/admin/ddcprobe.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/ddcprobe.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/ddcprobe.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -1139,7 +1165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ddcprob
## <param name="role">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.if serefpolicy-3.8.8/policy/modules/admin/dmesg.if
--- nsaserefpolicy/policy/modules/admin/dmesg.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/dmesg.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/dmesg.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -1160,7 +1186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.i
## <rolecap/>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.8.8/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/dmesg.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/dmesg.te 2010-07-30 14:06:53.000000000 -0400
@@ -50,6 +50,12 @@
userdom_use_user_terminals(dmesg_t)
@@ -1176,7 +1202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.if serefpolicy-3.8.8/policy/modules/admin/dmidecode.if
--- nsaserefpolicy/policy/modules/admin/dmidecode.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/dmidecode.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/dmidecode.if 2010-07-30 14:06:53.000000000 -0400
@@ -30,7 +30,7 @@
## </summary>
## <param name="domain">
@@ -1188,7 +1214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmideco
## <param name="role">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dpkg.if serefpolicy-3.8.8/policy/modules/admin/dpkg.if
--- nsaserefpolicy/policy/modules/admin/dpkg.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/dpkg.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/dpkg.if 2010-07-30 14:06:53.000000000 -0400
@@ -8,7 +8,7 @@
## </summary>
## <param name="domain">
@@ -1272,7 +1298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dpkg.if
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-3.8.8/policy/modules/admin/firstboot.if
--- nsaserefpolicy/policy/modules/admin/firstboot.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/firstboot.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/firstboot.if 2010-07-30 14:06:53.000000000 -0400
@@ -9,7 +9,7 @@
## </summary>
## <param name="domain">
@@ -1320,7 +1346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.8.8/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/firstboot.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/firstboot.te 2010-07-30 14:06:53.000000000 -0400
@@ -121,6 +121,7 @@
')
@@ -1331,7 +1357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.if serefpolicy-3.8.8/policy/modules/admin/kudzu.if
--- nsaserefpolicy/policy/modules/admin/kudzu.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/kudzu.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/kudzu.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -1361,7 +1387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.i
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.if serefpolicy-3.8.8/policy/modules/admin/logrotate.if
--- nsaserefpolicy/policy/modules/admin/logrotate.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/logrotate.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/logrotate.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -1391,7 +1417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.8.8/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/logrotate.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/logrotate.te 2010-07-30 14:06:53.000000000 -0400
@@ -119,6 +119,7 @@
userdom_use_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
@@ -1411,7 +1437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.fc serefpolicy-3.8.8/policy/modules/admin/logwatch.fc
--- nsaserefpolicy/policy/modules/admin/logwatch.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/logwatch.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/logwatch.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,7 +1,11 @@
/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
@@ -1426,7 +1452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.8.8/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-07-30 14:06:53.000000000 -0400
@@ -19,6 +19,9 @@
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -1447,7 +1473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -92,8 +98,14 @@
+@@ -92,8 +98,15 @@
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -1460,12 +1486,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+role system_r types logwatch_mail_t;
+logging_read_all_logs(logwatch_mail_t)
+manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
++allow logwatch_mail_t self:capability { dac_read_search dac_override };
ifdef(`distro_redhat',`
files_search_all(logwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.8.8/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/mrtg.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/mrtg.te 2010-07-30 14:06:53.000000000 -0400
@@ -115,6 +115,7 @@
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
@@ -1476,14 +1503,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.fc serefpolicy-3.8.8/policy/modules/admin/ncftool.fc
--- nsaserefpolicy/policy/modules/admin/ncftool.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/ncftool.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.if serefpolicy-3.8.8/policy/modules/admin/ncftool.if
--- nsaserefpolicy/policy/modules/admin/ncftool.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.if 2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,74 @@
++++ serefpolicy-3.8.8/policy/modules/admin/ncftool.if 2010-08-10 05:23:35.000000000 -0400
+@@ -0,0 +1,78 @@
+
+## <summary>policy for ncftool</summary>
+
@@ -1528,6 +1555,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+
+ ncftool_domtrans($1)
+ role $2 types ncftool_t;
++
++ optional_policy(`
++ brctl_run(ncftool_t, $2)
++ ')
+')
+
+########################################
@@ -1560,8 +1591,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.8.8/policy/modules/admin/ncftool.te
--- nsaserefpolicy/policy/modules/admin/ncftool.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te 2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,79 @@
++++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te 2010-08-10 05:23:35.000000000 -0400
+@@ -0,0 +1,87 @@
+policy_module(ncftool, 1.0.0)
+
+########################################
@@ -1607,6 +1638,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+
+dev_read_sysfs(ncftool_t)
+
++files_manage_system_conf_files(ncftool_t)
++files_relabelto_system_conf_files(ncftool_t)
+files_read_etc_files(ncftool_t)
+files_read_etc_runtime_files(ncftool_t)
+files_read_usr_files(ncftool_t)
@@ -1627,23 +1660,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+sysnet_read_dhcpc_state(ncftool_t)
+sysnet_relabelfrom_net_conf(ncftool_t)
+sysnet_relabelto_net_conf(ncftool_t)
++sysnet_read_dhcpc_pid(ncftool_t)
++sysnet_signal_dhcpc(ncftool_t)
+
+userdom_read_user_tmp_files(ncftool_t)
+
+optional_policy(`
-+ brctl_domtrans(ncftool_t)
++ consoletype_exec(ncftool_t)
+')
+
+optional_policy(`
-+ consoletype_exec(ncftool_t)
++ dbus_system_bus_client(ncftool_t)
+')
+
+optional_policy(`
-+ dbus_system_bus_client(ncftool_t)
++ iptables_initrc_domtrans(ncftool_t)
++')
++
++optional_policy(`
++ iptables_initrc_domtrans(ncftool_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.8.8/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/netutils.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/netutils.te 2010-07-30 14:06:53.000000000 -0400
@@ -51,6 +51,8 @@
kernel_search_proc(netutils_t)
@@ -1728,7 +1767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.8.8/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-10 07:29:36.000000000 -0400
@@ -59,6 +59,7 @@
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -1745,7 +1784,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
-@@ -99,6 +101,8 @@
+@@ -86,6 +88,8 @@
+
+ fs_getattr_xattr_fs(prelink_t)
+
++storage_getattr_fixed_disk_dev(prelink_t)
++
+ selinux_get_enforce_mode(prelink_t)
+
+ libs_exec_ld_so(prelink_t)
+@@ -99,6 +103,8 @@
miscfiles_read_localization(prelink_t)
userdom_use_user_terminals(prelink_t)
@@ -1754,7 +1802,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -129,6 +133,7 @@
+@@ -109,6 +115,10 @@
+ ')
+
+ optional_policy(`
++ nsplugin_manage_rw_files(prelink_t)
++')
++
++optional_policy(`
+ rpm_manage_tmp_files(prelink_t)
+ ')
+
+@@ -129,6 +139,7 @@
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -1764,7 +1823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
allow prelink_cron_system_t prelink_t:process noatsecure;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.if serefpolicy-3.8.8/policy/modules/admin/quota.if
--- nsaserefpolicy/policy/modules/admin/quota.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/quota.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/quota.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -1785,7 +1844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.i
## <param name="role">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.8.8/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/readahead.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/readahead.te 2010-07-30 14:06:53.000000000 -0400
@@ -51,6 +51,7 @@
files_list_non_security(readahead_t)
@@ -1804,7 +1863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
fs_dontaudit_read_ramfs_files(readahead_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.8.8/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/rpm.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/rpm.fc 2010-08-06 11:14:58.000000000 -0400
@@ -7,6 +7,7 @@
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -1823,9 +1882,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
')
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+@@ -36,6 +40,8 @@
+ /var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+ /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+
++/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
++
+ /var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
+ /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.8.8/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/rpm.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/rpm.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,18 +6,21 @@
## </summary>
## <param name="domain">
@@ -2081,7 +2149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.8.8/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/rpm.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/rpm.te 2010-08-04 16:24:06.000000000 -0400
@@ -1,10 +1,11 @@
policy_module(rpm, 1.11.1)
@@ -2225,7 +2293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
java_domtrans_unconfined(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectoolm.te serefpolicy-3.8.8/policy/modules/admin/sectoolm.te
--- nsaserefpolicy/policy/modules/admin/sectoolm.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/sectoolm.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/sectoolm.te 2010-07-30 14:06:53.000000000 -0400
@@ -84,6 +84,7 @@
sysnet_domtrans_ifconfig(sectoolm_t)
@@ -2236,7 +2304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectool
mount_exec(sectoolm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.8.8/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shorewall.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/shorewall.if 2010-07-30 14:06:53.000000000 -0400
@@ -134,9 +134,10 @@
#
interface(`shorewall_admin',`
@@ -2268,7 +2336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.8.8/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shorewall.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/shorewall.te 2010-07-30 14:06:53.000000000 -0400
@@ -80,13 +80,14 @@
init_rw_utmp(shorewall_t)
@@ -2287,7 +2355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
hostname_exec(shorewall_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.8.8/policy/modules/admin/shutdown.fc
--- nsaserefpolicy/policy/modules/admin/shutdown.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/shutdown.fc 2010-07-30 14:06:53.000000000 -0400
@@ -3,3 +3,5 @@
/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
@@ -2296,7 +2364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.8.8/policy/modules/admin/shutdown.if
--- nsaserefpolicy/policy/modules/admin/shutdown.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/shutdown.if 2010-07-30 14:06:53.000000000 -0400
@@ -19,10 +19,11 @@
ifdef(`hide_broken_symptoms', `
@@ -2386,7 +2454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.8.8/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/shutdown.te 2010-08-10 05:23:35.000000000 -0400
@@ -36,6 +36,8 @@
files_read_etc_files(shutdown_t)
files_read_generic_pids(shutdown_t)
@@ -2396,10 +2464,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
term_use_all_terms(shutdown_t)
auth_use_nsswitch(shutdown_t)
+@@ -55,5 +57,10 @@
+ ')
+
+ optional_policy(`
++ oddjob_dontaudit_rw_fifo_file(shutdown_t)
++ oddjob_sigchld(shutdown_t)
++')
++
++optional_policy(`
+ xserver_dontaudit_write_log(shutdown_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.8.8/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/sudo.if 2010-07-27 16:12:03.000000000 -0400
-@@ -134,12 +134,16 @@
++++ serefpolicy-3.8.8/policy/modules/admin/sudo.if 2010-07-30 14:06:53.000000000 -0400
+@@ -76,6 +76,8 @@
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_sudo_t, $3)
+ corecmd_bin_domtrans($1_sudo_t, $3)
++ userdom_domtrans_user_home($1_sudo_t, $3)
++ userdom_domtrans_user_tmp($1_sudo_t, $3)
+ allow $3 $1_sudo_t:fd use;
+ allow $3 $1_sudo_t:fifo_file rw_file_perms;
+ allow $3 $1_sudo_t:process signal_perms;
+@@ -134,12 +136,16 @@
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
# for some PAM modules and for cwd
@@ -2419,7 +2507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.8.8/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/su.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/su.if 2010-07-30 14:06:53.000000000 -0400
@@ -212,7 +212,7 @@
auth_domtrans_chk_passwd($1_su_t)
@@ -2439,7 +2527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
# RHEL5 and possibly newer releases incl. Fedora
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.if serefpolicy-3.8.8/policy/modules/admin/tmpreaper.if
--- nsaserefpolicy/policy/modules/admin/tmpreaper.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/tmpreaper.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/tmpreaper.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -2451,7 +2539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.8.8/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/tmpreaper.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/tmpreaper.te 2010-07-30 14:06:53.000000000 -0400
@@ -25,8 +25,11 @@
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
@@ -2491,7 +2579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/updfstab.if serefpolicy-3.8.8/policy/modules/admin/updfstab.if
--- nsaserefpolicy/policy/modules/admin/updfstab.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/updfstab.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/updfstab.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -2503,7 +2591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/updfsta
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usbmodules.if serefpolicy-3.8.8/policy/modules/admin/usbmodules.if
--- nsaserefpolicy/policy/modules/admin/usbmodules.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/usbmodules.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/usbmodules.if 2010-07-30 14:06:53.000000000 -0400
@@ -26,7 +26,7 @@
## </summary>
## <param name="domain">
@@ -2515,7 +2603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usbmodu
## <param name="role">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.8.8/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/usermanage.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/usermanage.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -2627,7 +2715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.8.8/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/usermanage.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/usermanage.te 2010-07-30 14:06:53.000000000 -0400
@@ -295,6 +295,7 @@
term_use_all_ttys(passwd_t)
@@ -2679,21 +2767,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.8.8/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/vbetool.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/vbetool.te 2010-07-30 14:06:53.000000000 -0400
@@ -24,7 +24,10 @@
dev_rw_xserver_misc(vbetool_t)
dev_rw_mtrr(vbetool_t)
+-domain_mmap_low(vbetool_t)
+domain_mmap_low_type(vbetool_t)
+tunable_policy(`mmap_low_allowed',`
- domain_mmap_low(vbetool_t)
++ allow vbetool_t self:memprotect mmap_zero;
+')
mls_file_read_all_levels(vbetool_t)
mls_file_write_all_levels(vbetool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.8.8/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/vpn.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/vpn.te 2010-07-30 14:06:53.000000000 -0400
@@ -107,6 +107,7 @@
userdom_use_all_users_fds(vpnc_t)
@@ -2704,7 +2793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te
dbus_system_bus_client(vpnc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.8.8/policy/modules/apps/awstats.te
--- nsaserefpolicy/policy/modules/apps/awstats.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/awstats.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/awstats.te 2010-07-30 14:06:53.000000000 -0400
@@ -47,6 +47,7 @@
files_read_etc_files(awstats_t)
# e.g. /usr/share/awstats/lang/awstats-en.txt
@@ -2715,14 +2804,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.8.8/policy/modules/apps/chrome.fc
--- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/chrome.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/chrome.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,3 @@
+ /opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.8.8/policy/modules/apps/chrome.if
--- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/chrome.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/chrome.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,90 @@
+
+## <summary>policy for chrome</summary>
@@ -2816,7 +2905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.8.8/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/chrome.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/chrome.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,86 @@
+policy_module(chrome,1.0.0)
+
@@ -2906,7 +2995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.8.8/policy/modules/apps/cpufreqselector.te
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/cpufreqselector.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/cpufreqselector.te 2010-07-30 14:06:53.000000000 -0400
@@ -27,7 +27,7 @@
miscfiles_read_localization(cpufreqselector_t)
@@ -2918,7 +3007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.8.8/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,49 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2971,7 +3060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.8.8/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/execmem.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/execmem.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,110 @@
+## <summary>execmem domain</summary>
+
@@ -3085,7 +3174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.8.8/policy/modules/apps/execmem.te
--- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/execmem.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/execmem.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,10 @@
+policy_module(execmem, 1.0.0)
+
@@ -3099,14 +3188,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.8.8/policy/modules/apps/firewallgui.fc
--- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,3 @@
+
+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.8.8/policy/modules/apps/firewallgui.if
--- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,23 @@
+
+## <summary>policy for firewallgui</summary>
@@ -3133,7 +3222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.8.8/policy/modules/apps/firewallgui.te
--- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,66 @@
+policy_module(firewallgui,1.0.0)
+
@@ -3203,7 +3292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.8.8/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gnome.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gnome.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,8 +1,28 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
@@ -3237,7 +3326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.8.8/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gnome.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gnome.if 2010-08-05 09:43:28.000000000 -0400
@@ -74,6 +74,24 @@
########################################
@@ -3694,7 +3783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.8.8/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gnome.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gnome.te 2010-07-30 14:06:53.000000000 -0400
@@ -6,18 +6,33 @@
#
@@ -3847,7 +3936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.8.8/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gpg.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gpg.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,4 +1,5 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
@@ -3856,7 +3945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.8.8/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gpg.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gpg.if 2010-07-30 14:06:53.000000000 -0400
@@ -85,6 +85,43 @@
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
@@ -3903,7 +3992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
## Send generic signals to user gpg processes.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.8.8/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gpg.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gpg.te 2010-07-30 14:06:53.000000000 -0400
@@ -4,6 +4,7 @@
#
# Declarations
@@ -4048,7 +4137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.8.8/policy/modules/apps/irc.fc
--- nsaserefpolicy/policy/modules/apps/irc.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/irc.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/irc.fc 2010-07-30 14:06:53.000000000 -0400
@@ -2,10 +2,14 @@
# /home
#
@@ -4066,7 +4155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc s
/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.8.8/policy/modules/apps/irc.if
--- nsaserefpolicy/policy/modules/apps/irc.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/irc.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/irc.if 2010-07-30 14:06:53.000000000 -0400
@@ -18,9 +18,11 @@
interface(`irc_role',`
gen_require(`
@@ -4099,7 +4188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if s
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.8.8/policy/modules/apps/irc.te
--- nsaserefpolicy/policy/modules/apps/irc.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/irc.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/irc.te 2010-07-30 14:06:53.000000000 -0400
@@ -24,6 +24,30 @@
########################################
@@ -4217,7 +4306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.8.8/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/java.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/java.fc 2010-07-30 14:06:53.000000000 -0400
@@ -9,6 +9,7 @@
#
# /usr
@@ -4238,7 +4327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.8.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/java.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/java.if 2010-07-30 14:06:53.000000000 -0400
@@ -72,7 +72,8 @@
domain_interactive_fd($1_java_t)
@@ -4277,7 +4366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.8.8/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/java.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/java.te 2010-07-30 14:06:53.000000000 -0400
@@ -82,6 +82,7 @@
dev_read_rand(java_t)
dev_dontaudit_append_rand(java_t)
@@ -4304,19 +4393,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
rpm_domtrans(unconfined_java_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.8.8/policy/modules/apps/kdumpgui.fc
--- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.8.8/policy/modules/apps/kdumpgui.if
--- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,2 @@
+## <summary>system-config-kdump policy</summary>
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,68 @@
+policy_module(kdumpgui,1.0.0)
+
@@ -4388,7 +4477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.8.8/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/livecd.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/livecd.if 2010-07-30 14:06:53.000000000 -0400
@@ -41,6 +41,8 @@
livecd_domtrans($1)
@@ -4425,7 +4514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.8.8/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/livecd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/livecd.te 2010-07-30 14:06:53.000000000 -0400
@@ -20,6 +20,7 @@
dontaudit livecd_t self:capability2 mac_admin;
@@ -4447,7 +4536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.8.8/policy/modules/apps/loadkeys.if
--- nsaserefpolicy/policy/modules/apps/loadkeys.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/loadkeys.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/loadkeys.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -4477,7 +4566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.8.8/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mono.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mono.if 2010-07-30 14:06:53.000000000 -0400
@@ -41,15 +41,18 @@
application_type($1_mono_t)
@@ -4520,7 +4609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.8.8/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,6 +1,7 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -4531,7 +4620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.8.8/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.if 2010-07-30 14:06:53.000000000 -0400
@@ -48,6 +48,12 @@
mozilla_dbus_chat($2)
@@ -4556,7 +4645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.8.8/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-07-30 14:06:53.000000000 -0400
@@ -25,6 +25,7 @@
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
@@ -4595,7 +4684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
pulseaudio_manage_home_files(mozilla_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.8.8/policy/modules/apps/mplayer.if
--- nsaserefpolicy/policy/modules/apps/mplayer.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mplayer.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mplayer.if 2010-07-30 14:06:53.000000000 -0400
@@ -102,3 +102,39 @@
read_files_pattern($1, mplayer_home_t, mplayer_home_t)
userdom_search_user_home_dirs($1)
@@ -4638,7 +4727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.8.8/policy/modules/apps/mplayer.te
--- nsaserefpolicy/policy/modules/apps/mplayer.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mplayer.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mplayer.te 2010-07-30 14:06:53.000000000 -0400
@@ -32,6 +32,7 @@
type mplayer_home_t;
typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
@@ -4677,7 +4766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.8.8/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,10 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
@@ -4691,7 +4780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.8.8/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if 2010-08-10 07:28:28.000000000 -0400
@@ -0,0 +1,391 @@
+
+## <summary>policy for nsplugin</summary>
@@ -5086,8 +5175,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,299 @@
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-10 11:45:49.000000000 -0400
+@@ -0,0 +1,300 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -5117,7 +5206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
+type nsplugin_rw_t;
+files_poly_member(nsplugin_rw_t)
-+userdom_user_home_content(nsplugin_rw_t)
++files_type(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
@@ -5245,6 +5334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
+optional_policy(`
+ alsa_read_rw_config(nsplugin_t)
++ alsa_read_home_files(nsplugin_t)
+')
+
+optional_policy(`
@@ -5389,7 +5479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.8.8/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/openoffice.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/openoffice.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,4 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
@@ -5397,7 +5487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.8.8/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/openoffice.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/openoffice.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,129 @@
+## <summary>Openoffice</summary>
+
@@ -5530,7 +5620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.8.8/policy/modules/apps/openoffice.te
--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/openoffice.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/openoffice.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,16 @@
+policy_module(openoffice, 1.0.0)
+
@@ -5550,7 +5640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.8.8/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te 2010-07-30 14:06:53.000000000 -0400
@@ -73,6 +73,7 @@
sysnet_dns_name_resolve(podsleuth_t)
@@ -5561,7 +5651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.8.8/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/pulseaudio.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/pulseaudio.if 2010-07-30 14:06:53.000000000 -0400
@@ -35,6 +35,10 @@
allow pulseaudio_t $2:unix_stream_socket connectto;
allow $2 pulseaudio_t:unix_stream_socket connectto;
@@ -5575,7 +5665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.8.8/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/pulseaudio.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/pulseaudio.te 2010-07-30 14:06:53.000000000 -0400
@@ -44,6 +44,7 @@
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
@@ -5626,7 +5716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.8.8/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/qemu.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/qemu.if 2010-07-30 14:06:53.000000000 -0400
@@ -275,6 +275,67 @@
########################################
@@ -5722,7 +5812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.8.8/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/qemu.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/qemu.te 2010-07-30 14:06:53.000000000 -0400
@@ -102,6 +102,10 @@
xen_rw_image_files(qemu_t)
')
@@ -5745,18 +5835,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
allow unconfined_qemu_t qemu_exec_t:file execmod;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.8.8/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sambagui.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sambagui.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.8.8/policy/modules/apps/sambagui.if
--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sambagui.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sambagui.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,2 @@
+## <summary>system-config-samba policy</summary>
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.8.8/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sambagui.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sambagui.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,66 @@
+policy_module(sambagui,1.0.0)
+
@@ -5826,12 +5916,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.8.8/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1 @@
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.8.8/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if 2010-08-03 14:37:32.000000000 -0400
@@ -0,0 +1,314 @@
+
+## <summary>policy for sandbox</summary>
@@ -5919,7 +6009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ ')
+
+ type $1_t, sandbox_domain, sandbox_x_type;
-+ domain_type($1_t)
++ application_type($1_t)
+
+ mls_rangetrans_target($1_t)
+
@@ -5954,7 +6044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ ')
+
+ type $1_t, sandbox_x_domain;
-+ domain_type($1_t)
++ application_type($1_t)
+
+ type $1_file_t, sandbox_file_type;
+ files_type($1_file_t)
@@ -5976,7 +6066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ allow $1_t self:capability setuid;
+
+ type $1_client_t, sandbox_x_domain;
-+ domain_type($1_client_t)
++ application_type($1_client_t)
+
+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
+ files_tmpfs_file($1_client_tmpfs_t)
@@ -6149,7 +6239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-03 13:19:32.000000000 -0400
@@ -0,0 +1,390 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
@@ -6186,7 +6276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+#
+# sandbox xserver policy
+#
-+allow sandbox_xserver_t self:process execmem;
++allow sandbox_xserver_t self:process { execmem execstack };
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
@@ -6543,7 +6633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.8.8/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/seunshare.if 2010-07-30 14:06:53.000000000 -0400
@@ -53,8 +53,14 @@
########################################
@@ -6597,8 +6687,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-07-27 16:12:03.000000000 -0400
-@@ -5,40 +5,41 @@
++++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-08-06 12:05:20.000000000 -0400
+@@ -5,40 +5,45 @@
# Declarations
#
@@ -6612,8 +6702,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
#
# seunshare local policy
#
-+allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin };
-+allow seunshare_domain self:process { fork setexec signal getcap setcap };
++allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin sys_nice };
++allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
-allow seunshare_t self:process { setexec signal getcap setcap };
@@ -6622,29 +6712,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
-allow seunshare_t self:fifo_file rw_file_perms;
-allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
-+corecmd_exec_shell(seunshare_domain)
-+corecmd_exec_bin(seunshare_domain)
++kernel_read_system_state(seunshare_domain)
-corecmd_exec_shell(seunshare_t)
-corecmd_exec_bin(seunshare_t)
-+files_search_all(seunshare_domain)
-+files_read_etc_files(seunshare_domain)
-+files_mounton_all_poly_members(seunshare_domain)
++corecmd_exec_shell(seunshare_domain)
++corecmd_exec_bin(seunshare_domain)
-files_read_etc_files(seunshare_t)
-files_mounton_all_poly_members(seunshare_t)
-+fs_manage_cgroup_dirs(seunshare_domain)
++files_search_all(seunshare_domain)
++files_read_etc_files(seunshare_domain)
++files_mounton_all_poly_members(seunshare_domain)
-auth_use_nsswitch(seunshare_t)
-+auth_use_nsswitch(seunshare_domain)
++fs_manage_cgroup_dirs(seunshare_domain)
++fs_manage_cgroup_files(seunshare_domain)
-logging_send_syslog_msg(seunshare_t)
-+logging_send_syslog_msg(seunshare_domain)
++auth_use_nsswitch(seunshare_domain)
-miscfiles_read_localization(seunshare_t)
-+miscfiles_read_localization(seunshare_domain)
++logging_send_syslog_msg(seunshare_domain)
-userdom_use_user_terminals(seunshare_t)
++miscfiles_read_localization(seunshare_domain)
++
+userdom_use_user_terminals(seunshare_domain)
ifdef(`hide_broken_symptoms', `
@@ -6657,9 +6750,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
+ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
')
')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.fc serefpolicy-3.8.8/policy/modules/apps/telepathy.fc
--- nsaserefpolicy/policy/modules/apps/telepathy.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/telepathy.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,14 @@
+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
@@ -6677,7 +6771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.if serefpolicy-3.8.8/policy/modules/apps/telepathy.if
--- nsaserefpolicy/policy/modules/apps/telepathy.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/telepathy.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,188 @@
+
+## <summary>Telepathy framework.</summary>
@@ -6869,8 +6963,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.te serefpolicy-3.8.8/policy/modules/apps/telepathy.te
--- nsaserefpolicy/policy/modules/apps/telepathy.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te 2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,309 @@
++++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te 2010-08-04 11:57:36.000000000 -0400
+@@ -0,0 +1,310 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -6923,6 +7017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
++userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
+
+corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
@@ -7182,7 +7277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.fc serefpolicy-3.8.8/policy/modules/apps/userhelper.fc
--- nsaserefpolicy/policy/modules/apps/userhelper.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/userhelper.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/userhelper.fc 2010-07-30 14:06:53.000000000 -0400
@@ -7,3 +7,4 @@
# /usr
#
@@ -7190,7 +7285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.8.8/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/userhelper.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/userhelper.if 2010-07-30 14:06:53.000000000 -0400
@@ -25,6 +25,7 @@
gen_require(`
attribute userhelper_type;
@@ -7269,7 +7364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.8.8/policy/modules/apps/userhelper.te
--- nsaserefpolicy/policy/modules/apps/userhelper.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/userhelper.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/userhelper.te 2010-07-30 14:06:53.000000000 -0400
@@ -6,9 +6,51 @@
#
@@ -7324,7 +7419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.8.8/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/vmware.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/vmware.te 2010-07-30 14:06:53.000000000 -0400
@@ -126,6 +126,7 @@
dev_read_sysfs(vmware_host_t)
dev_read_urand(vmware_host_t)
@@ -7335,7 +7430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
domain_dontaudit_read_all_domains_state(vmware_host_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.if serefpolicy-3.8.8/policy/modules/apps/webalizer.if
--- nsaserefpolicy/policy/modules/apps/webalizer.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/webalizer.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/webalizer.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -7356,7 +7451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalize
## <param name="role">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.8.8/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wine.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/wine.fc 2010-07-30 14:06:53.000000000 -0400
@@ -2,6 +2,7 @@
/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
@@ -7367,8 +7462,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc
/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.8.8/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wine.if 2010-07-27 16:12:03.000000000 -0400
-@@ -35,6 +35,8 @@
++++ serefpolicy-3.8.8/policy/modules/apps/wine.if 2010-08-05 17:18:31.000000000 -0400
+@@ -29,12 +29,16 @@
+ #
+ template(`wine_role',`
+ gen_require(`
++ type wine_t;
++ type wine_home_t;
+ type wine_exec_t;
+ ')
+
role $1 types wine_t;
domain_auto_trans($2, wine_exec_t, wine_t)
@@ -7377,26 +7480,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
allow wine_t $2:fd use;
allow wine_t $2:process { sigchld signull };
allow wine_t $2:unix_stream_socket connectto;
-@@ -101,9 +103,16 @@
+@@ -86,6 +90,7 @@
+ #
+ template(`wine_role_template',`
+ gen_require(`
++ type wine_t;
+ type wine_exec_t;
+ ')
+
+@@ -101,9 +106,16 @@
corecmd_bin_domtrans($1_wine_t, $1_t)
userdom_unpriv_usertype($1, $1_wine_t)
- userdom_manage_user_tmpfs_files($1_wine_t)
+ userdom_manage_tmpfs_role($2, $1_wine_t)
-
-- domain_mmap_low($1_wine_t)
++
+ domain_mmap_low_type($1_wine_t)
+ tunable_policy(`mmap_low_allowed',`
-+ domain_mmap_low($1_wine_t)
++ allow $1_wine_t self:memprotect mmap_zero;
+ ')
-+
+
+- domain_mmap_low($1_wine_t)
+ tunable_policy(`wine_mmap_zero_ignore',`
-+ allow $1_wine_t self:memprotect mmap_zero;
++ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
optional_policy(`
xserver_role($1_r, $1_wine_t)
-@@ -136,7 +145,7 @@
+@@ -136,7 +148,7 @@
## </summary>
## <param name="domain">
## <summary>
@@ -7407,7 +7518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
## <param name="role">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.8.8/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wine.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/wine.te 2010-07-30 14:06:53.000000000 -0400
@@ -1,5 +1,13 @@
policy_module(wine, 1.7.1)
@@ -7429,7 +7540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
-domain_mmap_low(wine_t)
+domain_mmap_low_type(wine_t)
+tunable_policy(`mmap_low_allowed',`
-+ domain_mmap_low(wine_t)
++ allow wine_t self:memprotect mmap_zero;
+')
+tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit wine_t self:memprotect mmap_zero;
@@ -7452,7 +7563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.te serefpolicy-3.8.8/policy/modules/apps/wireshark.te
--- nsaserefpolicy/policy/modules/apps/wireshark.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wireshark.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/wireshark.te 2010-07-30 14:06:53.000000000 -0400
@@ -15,6 +15,7 @@
type wireshark_home_t;
typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
@@ -7472,7 +7583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshar
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.8.8/policy/modules/apps/wm.if
--- nsaserefpolicy/policy/modules/apps/wm.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wm.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/wm.if 2010-07-30 14:06:53.000000000 -0400
@@ -75,6 +75,10 @@
miscfiles_read_fonts($1_wm_t)
miscfiles_read_localization($1_wm_t)
@@ -7486,7 +7597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
dbus_session_bus_client($1_wm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-07-30 14:06:53.000000000 -0400
@@ -9,8 +9,10 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -7535,7 +7646,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +239,8 @@
+@@ -220,6 +231,7 @@
+
+ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -228,6 +240,8 @@
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7544,7 +7663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +327,7 @@
+@@ -314,6 +328,7 @@
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -7552,7 +7671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
ifdef(`distro_suse', `
-@@ -340,3 +354,24 @@
+@@ -340,3 +355,24 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7579,7 +7698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.8.8/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.if 2010-07-30 14:06:53.000000000 -0400
@@ -931,6 +931,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -7598,7 +7717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.fc serefpolicy-3.8.8/policy/modules/kernel/corenetwork.fc
--- nsaserefpolicy/policy/modules/kernel/corenetwork.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.fc 2010-07-30 14:06:53.000000000 -0400
@@ -5,3 +5,6 @@
/dev/tap.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
@@ -7608,7 +7727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in 2010-08-04 13:10:54.000000000 -0400
@@ -24,6 +24,7 @@
#
type tun_tap_device_t;
@@ -7659,7 +7778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -124,8 +132,9 @@
+@@ -124,29 +132,32 @@
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
@@ -7670,7 +7789,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(kismet, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
-@@ -137,16 +146,17 @@
+ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
+ network_port(lirc, tcp,8765,s0)
++network_port(luci, tcp,8084,s0)
+ network_port(lmtp, tcp,24,s0, udp,24,s0)
+ type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
+ network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
@@ -7691,7 +7815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ntp, udp,123,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -154,12 +164,20 @@
+@@ -154,12 +165,20 @@
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -7712,7 +7836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -174,24 +192,27 @@
+@@ -174,24 +193,27 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -7743,7 +7867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,16 +222,17 @@
+@@ -201,16 +223,17 @@
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -7766,7 +7890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.8.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/devices.fc 2010-07-30 14:06:53.000000000 -0400
@@ -176,13 +176,12 @@
/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
@@ -7794,8 +7918,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-07-27 16:12:03.000000000 -0400
-@@ -497,6 +497,24 @@
++++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-04 12:08:01.000000000 -0400
+@@ -461,6 +461,24 @@
+
+ ########################################
+ ## <summary>
++## Allow relablefrom for generic character device files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_relabelfrom_generic_chr_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ allow $1 device_t:chr_file relabelfrom;
++')
++
++########################################
++## <summary>
+ ## Dontaudit getattr for generic character device files.
+ ## </summary>
+ ## <param name="domain">
+@@ -497,6 +515,24 @@
########################################
## <summary>
@@ -7820,7 +7969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Read and write generic character device files.
## </summary>
## <param name="domain">
-@@ -606,6 +624,24 @@
+@@ -606,6 +642,24 @@
########################################
## <summary>
@@ -7845,7 +7994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -1015,6 +1051,42 @@
+@@ -1015,6 +1069,42 @@
########################################
## <summary>
@@ -7888,7 +8037,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -3540,6 +3612,24 @@
+@@ -1277,6 +1367,24 @@
+
+ ########################################
+ ## <summary>
++## Relableto the autofs device node.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_relabelto_autofs_dev',`
++ gen_require(`
++ type autofs_device_t;
++ ')
++
++ allow $1 autofs_device_t:chr_file relabelto;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to get the attributes of
+ ## the autofs device node.
+ ## </summary>
+@@ -3540,6 +3648,24 @@
########################################
## <summary>
@@ -7913,7 +8087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3851,6 +3941,24 @@
+@@ -3851,6 +3977,24 @@
########################################
## <summary>
@@ -7938,7 +8112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4161,11 +4269,10 @@
+@@ -4161,11 +4305,10 @@
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -7954,7 +8128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.8.8/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/devices.te 2010-07-30 14:06:53.000000000 -0400
@@ -100,6 +100,7 @@
#
type kvm_device_t;
@@ -7972,7 +8146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
allow devices_unconfined_type mtrr_device_t:file *;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.8.8/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/domain.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/domain.if 2010-07-30 14:06:53.000000000 -0400
@@ -611,7 +611,7 @@
########################################
@@ -7991,7 +8165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
## </summary>
## <param name="domain">
## <summary>
-@@ -1372,18 +1372,34 @@
+@@ -1372,13 +1372,11 @@
## </summary>
## </param>
#
@@ -8006,30 +8180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
typeattribute $1 mmap_low_domain_type;
')
- ########################################
- ## <summary>
-+## Ability to mmap a low area of the address space,
-+## as configured by /proc/sys/kernel/mmap_min_addr.
-+## Preventing such mappings helps protect against
-+## exploiting null deref bugs in the kernel.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to mmap low memory.
-+## </summary>
-+## </param>
-+#
-+interface(`domain_mmap_low',`
-+
-+ allow $1 self:memprotect mmap_zero;
-+')
-+
-+########################################
-+## <summary>
- ## Allow specified type to receive labeled
- ## networking packets from all domains, over
- ## all protocols (TCP, UDP, etc)
-@@ -1445,3 +1461,22 @@
+@@ -1445,3 +1443,22 @@
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
')
@@ -8054,7 +8205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.8.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/domain.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/domain.te 2010-07-30 14:06:53.000000000 -0400
@@ -4,6 +4,21 @@
#
# Declarations
@@ -8222,7 +8373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.8.8/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/files.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/files.fc 2010-07-30 14:06:53.000000000 -0400
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -8324,7 +8475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.8.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-08-10 05:23:35.000000000 -0400
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8429,7 +8580,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Mount a filesystem on /mnt.
-@@ -3711,6 +3765,64 @@
+@@ -3420,6 +3474,24 @@
+ read_files_pattern($1, mnt_t, mnt_t)
+ ')
+
++######################################
++## <summary>
++## Read symbolic links in /mnt.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_mnt_symlinks',`
++ gen_require(`
++ type mnt_t;
++ ')
++
++ read_lnk_files_pattern($1, mnt_t, mnt_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete symbolic links in /mnt.
+@@ -3711,6 +3783,82 @@
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -8472,6 +8648,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+')
+
++######################################
++## <summary>
++## Relabel manageable system configuration files in /etc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelto_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelto_files_pattern($1, system_conf_t, system_conf_t)
++')
++
+###################################
+## <summary>
+## Create files in /etc with the type used for
@@ -8494,7 +8688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Allow the specified type to associate
-@@ -3896,6 +4008,32 @@
+@@ -3896,6 +4044,32 @@
########################################
## <summary>
@@ -8527,7 +8721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4109,6 +4247,13 @@
+@@ -4109,6 +4283,13 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -8541,10 +8735,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5298,6 +5443,25 @@
+@@ -5298,6 +5479,43 @@
search_dirs_pattern($1, var_t, var_run_t)
')
++######################################
++## <summary>
++## Add and remove entries from pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:dir rw_dir_perms;
++')
++
+#######################################
+## <summary>
+## Create generic pid directory.
@@ -8567,7 +8779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Do not audit attempts to search
-@@ -5505,6 +5669,26 @@
+@@ -5505,6 +5723,26 @@
########################################
## <summary>
@@ -8594,7 +8806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5522,6 +5706,7 @@
+@@ -5522,6 +5760,7 @@
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -8602,7 +8814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5807,3 +5992,229 @@
+@@ -5807,3 +6046,229 @@
typeattribute $1 files_unconfined_type;
')
@@ -8834,7 +9046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.8.8/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/files.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/files.te 2010-07-30 14:06:53.000000000 -0400
@@ -11,6 +11,7 @@
attribute mountpoint;
attribute pidfile;
@@ -8868,7 +9080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
typealias etc_runtime_t alias firstboot_rw_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc
--- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,3 +1,3 @@
/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
@@ -8876,7 +9088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-08-04 13:24:15.000000000 -0400
@@ -1233,7 +1233,7 @@
type cifs_t;
')
@@ -9111,7 +9323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.8.8/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.te 2010-07-30 14:06:53.000000000 -0400
@@ -52,6 +52,7 @@
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
@@ -9155,7 +9367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.8.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/kernel.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/kernel.if 2010-07-30 14:06:53.000000000 -0400
@@ -1977,7 +1977,7 @@
')
@@ -9216,7 +9428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.8.8/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/kernel.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/kernel.te 2010-07-30 14:06:53.000000000 -0400
@@ -156,6 +156,7 @@
#
type unlabeled_t;
@@ -9278,7 +9490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
# Unlabeled process local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.8.8/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if 2010-07-30 14:06:53.000000000 -0400
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -9338,7 +9550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.8.8/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc 2010-07-30 14:06:53.000000000 -0400
@@ -5,7 +5,7 @@
/dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
@@ -9357,7 +9569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.8.8/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/storage.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/storage.if 2010-08-05 14:41:46.000000000 -0400
@@ -101,6 +101,8 @@
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
@@ -9367,9 +9579,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
typeattribute $1 fixed_disk_raw_read;
')
+@@ -203,6 +205,8 @@
+ type fixed_disk_device_t;
+ ')
+
++ allow $1 self:capability mknod;
++
+ allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+ dev_add_entry_generic_dirs($1)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.8.8/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/terminal.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/terminal.if 2010-08-03 13:44:23.000000000 -0400
@@ -292,9 +292,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -9401,7 +9622,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
')
########################################
-@@ -1352,7 +1354,7 @@
+@@ -1252,10 +1254,12 @@
+ interface(`term_dontaudit_getattr_all_ttys',`
+ gen_require(`
+ attribute ttynode;
++ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ dontaudit $1 ttynode:chr_file getattr;
++ dontaudit $1 tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -1352,7 +1356,7 @@
attribute ttynode;
')
@@ -9412,7 +9646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.8.8/policy/modules/roles/auditadm.te
--- nsaserefpolicy/policy/modules/roles/auditadm.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/auditadm.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/auditadm.te 2010-07-30 14:06:53.000000000 -0400
@@ -28,10 +28,13 @@
logging_manage_audit_config(auditadm_t)
logging_run_auditctl(auditadm_t, auditadm_r)
@@ -9429,7 +9663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditad
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.8.8/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/guest.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/guest.te 2010-07-30 14:06:53.000000000 -0400
@@ -14,4 +14,8 @@
# Local policy
#
@@ -9442,7 +9676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t
+gen_user(guest_u, user, guest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.8.8/policy/modules/roles/secadm.te
--- nsaserefpolicy/policy/modules/roles/secadm.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/secadm.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/secadm.te 2010-07-30 14:06:53.000000000 -0400
@@ -9,6 +9,8 @@
userdom_unpriv_user_template(secadm)
@@ -9454,7 +9688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.8.8/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/staff.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/staff.te 2010-07-30 14:06:53.000000000 -0400
@@ -8,25 +8,55 @@
role staff_r;
@@ -9651,7 +9885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.8/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te 2010-07-30 14:06:53.000000000 -0400
@@ -27,17 +27,29 @@
corecmd_exec_shell(sysadm_t)
@@ -10008,7 +10242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
+miscfiles_read_hwdata(sysadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.8.8/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,8 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
@@ -10020,7 +10254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.8.8/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,667 @@
+## <summary>Unconfiend user role</summary>
+
@@ -10691,8 +10925,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,448 @@
++++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-08-11 07:44:10.000000000 -0400
+@@ -0,0 +1,453 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -10958,6 +11192,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+ ')
+
+ optional_policy(`
++ ipsec_mgmt_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
+ kerneloops_dbus_chat(unconfined_usertype)
+ ')
+
@@ -11102,6 +11340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+ unconfined_domain_noaudit(unconfined_execmem_t)
+ allow unconfined_execmem_t unconfined_t:process transition;
+ rpm_transition_script(unconfined_execmem_t)
++ role system_r types unconfined_execmem_t;
+
+ optional_policy(`
+ init_dbus_chat_script(unconfined_execmem_t)
@@ -11143,7 +11382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.8.8/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/unprivuser.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/unprivuser.te 2010-07-30 14:06:53.000000000 -0400
@@ -12,10 +12,13 @@
userdom_unpriv_user_template(user)
@@ -11204,7 +11443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.8.8/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-08-06 11:01:58.000000000 -0400
@@ -14,7 +14,7 @@
## <desc>
@@ -11286,10 +11525,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+
+optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
-+ telepathy_dbus_session_role(xguest_r, xguest_t)
')
optional_policy(`
@@ -11330,22 +11565,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
+ ')
-+')
+
++ optional_policy(`
++ telepathy_dbus_session_role(xguest_r, xguest_t)
+ ')
+ ')
+
+-#gen_user(xguest_u,, xguest_r, s0, s0)
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
- ')
++ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
- ')
-
--#gen_user(xguest_u,, xguest_r, s0, s0)
++')
++
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.8.8/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/abrt.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/abrt.fc 2010-07-30 14:06:53.000000000 -0400
@@ -15,6 +15,7 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -11356,7 +11595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.8.8/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/abrt.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/abrt.if 2010-08-10 07:15:12.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -11450,7 +11689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.8.8/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/abrt.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/abrt.te 2010-08-03 09:01:25.000000000 -0400
@@ -5,6 +5,14 @@
# Declarations
#
@@ -11510,7 +11749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-@@ -140,6 +151,11 @@
+@@ -140,6 +151,15 @@
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -11519,10 +11758,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+tunable_policy(`abrt_anon_write',`
+ miscfiles_manage_public_files(abrt_t)
+')
++
++optional_policy(`
++ apache_read_modules(abrt_t)
++')
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,7 +166,12 @@
+@@ -150,7 +170,12 @@
')
optional_policy(`
@@ -11536,7 +11779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -178,6 +199,12 @@
+@@ -178,6 +203,12 @@
')
optional_policy(`
@@ -11549,7 +11792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
sssd_stream_connect(abrt_t)
')
-@@ -203,6 +230,7 @@
+@@ -203,6 +234,7 @@
domain_read_all_domains_state(abrt_helper_t)
files_read_etc_files(abrt_helper_t)
@@ -11557,7 +11800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -217,11 +245,26 @@
+@@ -217,11 +249,26 @@
term_dontaudit_use_all_ptys(abrt_helper_t)
ifdef(`hide_broken_symptoms', `
@@ -11586,7 +11829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.8.8/policy/modules/services/afs.if
--- nsaserefpolicy/policy/modules/services/afs.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/afs.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/afs.if 2010-07-30 14:06:53.000000000 -0400
@@ -63,7 +63,7 @@
## </summary>
## <param name="domain">
@@ -11598,7 +11841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.8.8/policy/modules/services/afs.te
--- nsaserefpolicy/policy/modules/services/afs.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/afs.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/afs.te 2010-07-30 14:06:53.000000000 -0400
@@ -82,6 +82,10 @@
kernel_rw_afs_state(afs_t)
@@ -11612,7 +11855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
corenet_tcp_sendrecv_generic_if(afs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.8.8/policy/modules/services/aiccu.fc
--- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/aiccu.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/aiccu.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,6 @@
+/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0)
+/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
@@ -11622,7 +11865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.8.8/policy/modules/services/aiccu.if
--- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/aiccu.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/aiccu.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,118 @@
+## <summary>Automatic IPv6 Connectivity Client Utility.</summary>
+
@@ -11744,7 +11987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.8.8/policy/modules/services/aiccu.te
--- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/aiccu.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/aiccu.te 2010-07-30 14:55:47.000000000 -0400
@@ -0,0 +1,71 @@
+policy_module(aiccu, 1.0.0)
+
@@ -11819,7 +12062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+sysnet_dns_name_resolve(aiccu_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.8.8/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/aisexec.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/aisexec.te 2010-08-03 09:16:29.000000000 -0400
@@ -32,7 +32,7 @@
# aisexec local policy
#
@@ -11841,7 +12084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.8.8/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/amavis.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/amavis.te 2010-07-30 14:06:53.000000000 -0400
@@ -92,9 +92,10 @@
logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
@@ -11856,7 +12099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-07-30 14:06:53.000000000 -0400
@@ -24,7 +24,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -11877,7 +12120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
++/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -11908,7 +12151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-08-03 09:01:04.000000000 -0400
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -12117,7 +12360,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Apache cache.
## </summary>
## <param name="domain">
-@@ -756,6 +789,7 @@
+@@ -740,6 +773,25 @@
+
+ ########################################
+ ## <summary>
++## Allow the specified domain to read
++## the apache module directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apache_read_modules',`
++ gen_require(`
++ type httpd_modules_t;
++ ')
++
++ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
++')
++
++########################################
++## <summary>
+ ## Allow the specified domain to list
+ ## the contents of the apache modules
+ ## directory.
+@@ -756,6 +808,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -12125,7 +12394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -814,6 +848,7 @@
+@@ -814,6 +867,7 @@
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -12133,7 +12402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_search_var($1)
')
-@@ -841,6 +876,74 @@
+@@ -841,6 +895,74 @@
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -12208,7 +12477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Execute all web scripts in the system
-@@ -858,6 +961,11 @@
+@@ -858,6 +980,11 @@
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
@@ -12220,7 +12489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1053,7 @@
+@@ -945,7 +1072,7 @@
type httpd_squirrelmail_t;
')
@@ -12229,7 +12498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1086,6 +1194,25 @@
+@@ -1086,6 +1213,25 @@
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -12255,7 +12524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1102,7 +1229,7 @@
+@@ -1102,7 +1248,7 @@
type httpd_tmp_t;
')
@@ -12264,7 +12533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1172,7 +1299,7 @@
+@@ -1172,7 +1318,7 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -12273,7 +12542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1329,43 @@
+@@ -1202,12 +1348,43 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -12320,7 +12589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.8.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.te 2010-08-10 11:21:49.000000000 -0400
@@ -18,6 +18,8 @@
# Declarations
#
@@ -12606,7 +12875,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_ssi_exec',`
-@@ -513,7 +625,13 @@
+@@ -500,8 +612,10 @@
+ # are dontaudited here.
+ tunable_policy(`httpd_tty_comm',`
+ userdom_use_user_terminals(httpd_t)
++ userdom_use_user_terminals(httpd_suexec_t)
+ ',`
+ userdom_dontaudit_use_user_terminals(httpd_t)
++ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
+ ')
+
+ optional_policy(`
+@@ -513,7 +627,13 @@
')
optional_policy(`
@@ -12621,7 +12901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -528,7 +646,7 @@
+@@ -528,7 +648,7 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -12630,7 +12910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +655,12 @@
+@@ -537,8 +657,12 @@
')
optional_policy(`
@@ -12644,7 +12924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -557,6 +679,7 @@
+@@ -557,6 +681,7 @@
optional_policy(`
# Allow httpd to work with mysql
@@ -12652,7 +12932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +690,7 @@
+@@ -567,6 +692,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -12660,7 +12940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,12 +701,23 @@
+@@ -577,12 +703,23 @@
')
optional_policy(`
@@ -12684,7 +12964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -591,6 +726,11 @@
+@@ -591,6 +728,11 @@
')
optional_policy(`
@@ -12696,7 +12976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +743,10 @@
+@@ -603,6 +745,10 @@
yam_read_content(httpd_t)
')
@@ -12707,7 +12987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache helper local policy
-@@ -618,6 +762,10 @@
+@@ -618,6 +764,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -12718,7 +12998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -699,17 +847,18 @@
+@@ -699,17 +849,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -12740,7 +13020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +889,21 @@
+@@ -740,10 +891,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -12763,7 +13043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +929,12 @@
+@@ -769,6 +931,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -12776,7 +13056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -792,9 +958,13 @@
+@@ -792,9 +960,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -12790,7 +13070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +973,22 @@
+@@ -803,6 +975,22 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -12813,7 +13093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1016,16 @@
+@@ -830,6 +1018,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -12830,7 +13110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1038,7 @@
+@@ -842,6 +1040,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -12838,7 +13118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1088,33 @@
+@@ -891,11 +1090,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -12877,7 +13157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.8.8/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apcupsd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apcupsd.te 2010-07-30 14:06:53.000000000 -0400
@@ -94,6 +94,10 @@
')
@@ -12891,7 +13171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.if serefpolicy-3.8.8/policy/modules/services/apm.if
--- nsaserefpolicy/policy/modules/services/apm.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apm.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apm.if 2010-07-30 14:06:53.000000000 -0400
@@ -25,7 +25,7 @@
## </summary>
## <param name="domain">
@@ -12912,7 +13192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.8.8/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apm.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apm.te 2010-07-30 14:06:53.000000000 -0400
@@ -62,6 +62,7 @@
dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
@@ -12942,7 +13222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.8.8/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/arpwatch.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/arpwatch.te 2010-08-03 09:15:01.000000000 -0400
@@ -50,6 +50,7 @@
kernel_read_kernel_sysctls(arpwatch_t)
kernel_list_proc(arpwatch_t)
@@ -12961,7 +13241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw
fs_getattr_all_fs(arpwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.8.8/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/asterisk.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/asterisk.te 2010-07-30 14:06:53.000000000 -0400
@@ -99,6 +99,7 @@
corenet_tcp_bind_generic_node(asterisk_t)
corenet_udp_bind_generic_node(asterisk_t)
@@ -12991,7 +13271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.8.8/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/automount.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/automount.if 2010-07-30 14:06:53.000000000 -0400
@@ -25,7 +25,7 @@
## </summary>
## <param name="domain">
@@ -13003,7 +13283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.8.8/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/automount.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/automount.te 2010-07-30 14:06:53.000000000 -0400
@@ -145,6 +145,7 @@
# Run mount in the mount_t domain.
@@ -13014,7 +13294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
userdom_dontaudit_use_unpriv_user_fds(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.8.8/policy/modules/services/avahi.if
--- nsaserefpolicy/policy/modules/services/avahi.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/avahi.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/avahi.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -13043,7 +13323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.8.8/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/avahi.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/avahi.te 2010-07-30 14:06:53.000000000 -0400
@@ -37,10 +37,11 @@
manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
@@ -13059,7 +13339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
kernel_read_kernel_sysctls(avahi_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.8.8/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/bind.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bind.if 2010-07-30 14:06:53.000000000 -0400
@@ -359,9 +359,9 @@
interface(`bind_admin',`
gen_require(`
@@ -13084,7 +13364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
admin_pattern($1, named_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.8.8/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/bind.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bind.te 2010-07-30 14:06:53.000000000 -0400
@@ -89,9 +89,10 @@
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
@@ -13099,7 +13379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
allow named_t named_zone_t:dir list_dir_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.8.8/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/bitlbee.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bitlbee.te 2010-07-30 14:06:53.000000000 -0400
@@ -27,6 +27,7 @@
# Local policy
#
@@ -13121,7 +13401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl
sysnet_dns_name_resolve(bitlbee_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.8.8/policy/modules/services/bluetooth.if
--- nsaserefpolicy/policy/modules/services/bluetooth.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/bluetooth.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bluetooth.if 2010-07-30 14:06:53.000000000 -0400
@@ -64,7 +64,7 @@
## </summary>
## <param name="domain">
@@ -13195,10 +13475,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.8.8/policy/modules/services/boinc.fc
--- nsaserefpolicy/policy/modules/services/boinc.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/boinc.fc 2010-08-10 07:13:34.000000000 -0400
@@ -0,0 +1,8 @@
+
-+/etc/rc\.d/init\.d/boinc_client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+
@@ -13207,7 +13487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.8.8/policy/modules/services/boinc.if
--- nsaserefpolicy/policy/modules/services/boinc.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/boinc.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,151 @@
+
+## <summary>policy for boinc</summary>
@@ -13362,8 +13642,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.8/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,143 @@
++++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-11 07:44:10.000000000 -0400
+@@ -0,0 +1,145 @@
+policy_module(boinc,1.0.0)
+
+########################################
@@ -13483,6 +13763,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
++allow boinc_project_t self:fifo_file rw_fifo_file_perms;
++
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
@@ -13509,7 +13791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.8.8/policy/modules/services/bugzilla.fc
--- nsaserefpolicy/policy/modules/services/bugzilla.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bugzilla.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,4 @@
+
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
@@ -13517,7 +13799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.if serefpolicy-3.8.8/policy/modules/services/bugzilla.if
--- nsaserefpolicy/policy/modules/services/bugzilla.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,81 @@
+## <summary>Bugzilla server</summary>
+
@@ -13587,7 +13869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz
+ allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, httpd_bugzilla_script_t)
+
-+ files_list_tmps($1)
++ files_list_tmp($1)
+ admin_pattern($1, httpd_bugzilla_tmp_t)
+
+ files_search_var_lib(httpd_bugzilla_script_t)
@@ -13602,7 +13884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.te serefpolicy-3.8.8/policy/modules/services/bugzilla.te
--- nsaserefpolicy/policy/modules/services/bugzilla.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bugzilla.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,56 @@
+policy_module(bugzilla, 1.0)
+
@@ -13662,7 +13944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.8.8/policy/modules/services/cachefilesd.fc
--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,29 @@
+###############################################################################
+#
@@ -13695,7 +13977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.8.8/policy/modules/services/cachefilesd.if
--- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,41 @@
+###############################################################################
+#
@@ -13740,7 +14022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.8.8/policy/modules/services/cachefilesd.te
--- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,147 @@
+###############################################################################
+#
@@ -13891,7 +14173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+dev_search_sysfs(cachefiles_kernel_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.te serefpolicy-3.8.8/policy/modules/services/canna.te
--- nsaserefpolicy/policy/modules/services/canna.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/canna.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/canna.te 2010-07-30 14:06:53.000000000 -0400
@@ -42,9 +42,10 @@
manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
files_var_lib_filetrans(canna_t, canna_var_lib_t, file)
@@ -13906,7 +14188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cann
kernel_read_system_state(canna_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.8.8/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ccs.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ccs.te 2010-07-30 14:06:53.000000000 -0400
@@ -118,5 +118,10 @@
')
@@ -13920,7 +14202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.8.8/policy/modules/services/certmaster.if
--- nsaserefpolicy/policy/modules/services/certmaster.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/certmaster.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/certmaster.if 2010-07-30 14:06:53.000000000 -0400
@@ -18,6 +18,25 @@
domtrans_pattern($1, certmaster_exec_t, certmaster_t)
')
@@ -13949,7 +14231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
## read certmaster logs.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.8.8/policy/modules/services/certmonger.if
--- nsaserefpolicy/policy/modules/services/certmonger.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/certmonger.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/certmonger.if 2010-07-30 14:06:53.000000000 -0400
@@ -45,7 +45,7 @@
## </summary>
## <param name="domain">
@@ -13972,7 +14254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.8.8/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/certmonger.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/certmonger.te 2010-07-30 14:06:53.000000000 -0400
@@ -68,5 +68,5 @@
')
@@ -13982,7 +14264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.8.8/policy/modules/services/cgroup.te
--- nsaserefpolicy/policy/modules/services/cgroup.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cgroup.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cgroup.te 2010-08-10 07:20:55.000000000 -0400
@@ -18,8 +18,8 @@
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
@@ -13994,6 +14276,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
+@@ -33,7 +33,7 @@
+ # cgconfig personal policy.
+ #
+
+-allow cgconfig_t self:capability { chown sys_admin };
++allow cgconfig_t self:capability { dac_override fowner chown sys_admin };
+
+ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+
@@ -53,7 +53,7 @@
# cgred personal policy.
#
@@ -14013,7 +14304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
files_getattr_all_sockets(cgred_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.8.8/policy/modules/services/chronyd.if
--- nsaserefpolicy/policy/modules/services/chronyd.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/chronyd.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/chronyd.if 2010-07-30 14:06:53.000000000 -0400
@@ -19,6 +19,24 @@
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')
@@ -14122,7 +14413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.8.8/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/chronyd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/chronyd.te 2010-07-30 14:06:53.000000000 -0400
@@ -15,6 +15,9 @@
type chronyd_keys_t;
files_type(chronyd_keys_t)
@@ -14154,8 +14445,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
corenet_udp_bind_chronyd_port(chronyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-07-27 16:12:03.000000000 -0400
-@@ -89,9 +89,10 @@
++++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-10 08:26:22.000000000 -0400
+@@ -80,6 +80,7 @@
+ files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
+
+ # var/lib files for clamd
++manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+
+@@ -89,9 +90,10 @@
logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
# pid file
@@ -14167,7 +14466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-@@ -189,6 +190,7 @@
+@@ -189,6 +191,7 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -14175,7 +14474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,6 +209,8 @@
+@@ -207,6 +210,8 @@
clamav_stream_connect(freshclam_t)
@@ -14186,7 +14485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.fc serefpolicy-3.8.8/policy/modules/services/cmirrord.fc
--- nsaserefpolicy/policy/modules/services/cmirrord.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/cmirrord.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cmirrord.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
@@ -14196,7 +14495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.if serefpolicy-3.8.8/policy/modules/services/cmirrord.if
--- nsaserefpolicy/policy/modules/services/cmirrord.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/cmirrord.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cmirrord.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,118 @@
+
+## <summary>policy for cmirrord</summary>
@@ -14318,7 +14617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.8.8/policy/modules/services/cmirrord.te
--- nsaserefpolicy/policy/modules/services/cmirrord.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/cmirrord.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cmirrord.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,56 @@
+policy_module(cmirrord,1.0.0)
+
@@ -14378,7 +14677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.8.8/policy/modules/services/cobbler.fc
--- nsaserefpolicy/policy/modules/services/cobbler.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cobbler.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cobbler.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,7 +1,32 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
@@ -14419,7 +14718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.8.8/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cobbler.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cobbler.if 2010-07-30 14:06:53.000000000 -0400
@@ -1,14 +1,4 @@
## <summary>Cobbler installation server.</summary>
-## <desc>
@@ -14673,7 +14972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.8.8/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cobbler.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cobbler.te 2010-08-05 09:43:50.000000000 -0400
@@ -1,3 +1,4 @@
+
policy_module(cobbler, 1.1.0)
@@ -14715,7 +15014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
type cobblerd_t;
type cobblerd_exec_t;
-@@ -23,28 +46,45 @@
+@@ -23,28 +46,46 @@
type cobbler_etc_t;
files_config_file(cobbler_etc_t)
@@ -14747,7 +15046,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
+allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
-+allow cobblerd_t self:udp_socket create_stream_socket_perms;
++allow cobblerd_t self:udp_socket create_socket_perms;
++allow cobblerd_t self:unix_dgram_socket create_socket_perms;
list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
@@ -14768,7 +15068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -52,39 +92,93 @@
+@@ -52,39 +93,93 @@
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
@@ -14821,7 +15121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+
+init_dontaudit_read_all_script_files(cobblerd_t)
+
-+term_dontaudit_use_console(cobblerd_t)
++term_use_console(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
@@ -14866,7 +15166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
optional_policy(`
bind_read_config(cobblerd_t)
bind_write_config(cobblerd_t)
-@@ -95,6 +189,10 @@
+@@ -95,6 +190,10 @@
')
optional_policy(`
@@ -14877,7 +15177,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
')
-@@ -110,12 +208,20 @@
+@@ -106,16 +205,28 @@
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(cobblerd_t)
++')
++
++optional_policy(`
+ rpm_exec(cobblerd_t)
')
optional_policy(`
@@ -14901,7 +15209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
')
########################################
-@@ -123,6 +229,18 @@
+@@ -123,6 +234,18 @@
# Cobbler web local policy.
#
@@ -14925,7 +15233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.8.8/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/consolekit.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/consolekit.te 2010-07-30 14:06:53.000000000 -0400
@@ -15,6 +15,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -14992,7 +15300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.8.8/policy/modules/services/corosync.fc
--- nsaserefpolicy/policy/modules/services/corosync.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/corosync.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/corosync.fc 2010-07-30 14:06:53.000000000 -0400
@@ -3,6 +3,7 @@
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
@@ -15003,7 +15311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.8.8/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/corosync.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/corosync.te 2010-07-30 14:06:53.000000000 -0400
@@ -5,6 +5,13 @@
# Declarations
#
@@ -15091,7 +15399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.8.8/policy/modules/services/courier.if
--- nsaserefpolicy/policy/modules/services/courier.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/courier.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/courier.if 2010-07-30 14:06:53.000000000 -0400
@@ -38,10 +38,12 @@
read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t)
allow courier_$1_t courier_etc_t:dir list_dir_perms;
@@ -15107,7 +15415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
kernel_read_kernel_sysctls(courier_$1_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.8.8/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/courier.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/courier.te 2010-07-30 14:06:53.000000000 -0400
@@ -48,6 +48,7 @@
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
@@ -15118,7 +15426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.8.8/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cron.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cron.fc 2010-07-30 14:06:53.000000000 -0400
@@ -14,7 +14,7 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -15138,7 +15446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.8.8/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cron.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cron.if 2010-07-30 14:06:53.000000000 -0400
@@ -12,6 +12,10 @@
## </param>
#
@@ -15364,7 +15672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.8.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-07-30 14:06:53.000000000 -0400
@@ -63,9 +63,12 @@
type crond_tmp_t;
@@ -15660,7 +15968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
tunable_policy(`fcron_crond', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.8.8/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cups.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cups.fc 2010-07-30 14:06:53.000000000 -0400
@@ -71,3 +71,9 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
@@ -15673,7 +15981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.8.8/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cups.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cups.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -15722,7 +16030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.8.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cups.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cups.te 2010-07-30 14:06:53.000000000 -0400
@@ -15,6 +15,7 @@
type cupsd_t;
type cupsd_exec_t;
@@ -15822,7 +16130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_search_auto_mountpoints(cups_pdf_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.8.8/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cvs.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cvs.te 2010-07-30 14:06:53.000000000 -0400
@@ -112,4 +112,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -15831,7 +16139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.8.8/policy/modules/services/cyphesis.te
--- nsaserefpolicy/policy/modules/services/cyphesis.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cyphesis.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cyphesis.te 2010-07-30 14:06:53.000000000 -0400
@@ -36,9 +36,10 @@
allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file)
@@ -15846,7 +16154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph
kernel_read_kernel_sysctls(cyphesis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.8.8/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cyrus.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cyrus.te 2010-07-30 14:06:53.000000000 -0400
@@ -135,6 +135,7 @@
')
@@ -15857,7 +16165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
snmp_stream_connect(cyrus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.8.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dbus.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dbus.if 2010-07-30 14:06:53.000000000 -0400
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -15946,7 +16254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.8.8/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dbus.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dbus.te 2010-07-30 14:06:53.000000000 -0400
@@ -74,9 +74,10 @@
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
@@ -16002,7 +16310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.8.8/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dcc.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dcc.te 2010-07-30 14:06:53.000000000 -0400
@@ -231,8 +231,9 @@
manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
@@ -16016,7 +16324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.
kernel_read_kernel_sysctls(dccd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.8.8/policy/modules/services/denyhosts.if
--- nsaserefpolicy/policy/modules/services/denyhosts.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/denyhosts.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/denyhosts.if 2010-07-30 14:06:53.000000000 -0400
@@ -32,7 +32,7 @@
## </summary>
## <param name="domain">
@@ -16028,7 +16336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.8.8/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/denyhosts.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/denyhosts.te 2010-07-30 14:06:53.000000000 -0400
@@ -25,7 +25,8 @@
#
# DenyHosts personal policy.
@@ -16068,7 +16376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.8.8/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/devicekit.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/devicekit.te 2010-08-10 11:09:06.000000000 -0400
@@ -75,10 +75,12 @@
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -16111,13 +16419,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-allow devicekit_power_t self:process getsched;
-+allow devicekit_disk_t self:process { getsched signal_perms };
++allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.8.8/policy/modules/services/dhcp.if
--- nsaserefpolicy/policy/modules/services/dhcp.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dhcp.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dhcp.if 2010-07-30 14:06:53.000000000 -0400
@@ -45,7 +45,7 @@
## </summary>
## <param name="domain">
@@ -16129,7 +16437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.8.8/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dhcp.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dhcp.te 2010-07-30 14:06:53.000000000 -0400
@@ -111,6 +111,11 @@
')
@@ -16144,7 +16452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.8.8/policy/modules/services/djbdns.te
--- nsaserefpolicy/policy/modules/services/djbdns.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/djbdns.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/djbdns.te 2010-07-30 14:06:53.000000000 -0400
@@ -22,6 +22,8 @@
# Local policy for axfrdns component
#
@@ -16156,7 +16464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.8.8/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dnsmasq.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dnsmasq.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -16177,7 +16485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.8.8/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dnsmasq.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dnsmasq.te 2010-07-30 14:06:53.000000000 -0400
@@ -92,7 +92,11 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -16193,7 +16501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.8.8/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dovecot.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dovecot.fc 2010-07-30 14:06:53.000000000 -0400
@@ -25,7 +25,7 @@
ifdef(`distro_redhat', `
/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
@@ -16205,7 +16513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.8.8/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dovecot.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dovecot.if 2010-07-30 14:06:53.000000000 -0400
@@ -93,12 +93,14 @@
#
interface(`dovecot_admin',`
@@ -16249,7 +16557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-03 15:18:00.000000000 -0400
@@ -58,7 +58,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
@@ -16259,6 +16567,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
+@@ -72,7 +72,7 @@
+ read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+ read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+
+-allow dovecot_t dovecot_etc_t:file read_file_perms;
++read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+ files_search_etc(dovecot_t)
+
+ can_exec(dovecot_t, dovecot_exec_t)
@@ -94,10 +94,11 @@
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -16280,8 +16597,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -256,16 +258,22 @@
- allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+@@ -253,19 +255,25 @@
+
+ allow dovecot_deliver_t dovecot_t:process signull;
+
+-allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
++read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
@@ -16312,7 +16633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.8.8/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/exim.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/exim.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,3 +1,6 @@
+
+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
@@ -16322,7 +16643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.8.8/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/exim.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/exim.if 2010-07-30 14:06:53.000000000 -0400
@@ -20,6 +20,24 @@
########################################
@@ -16397,7 +16718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.8.8/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/exim.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/exim.te 2010-07-30 14:06:53.000000000 -0400
@@ -35,6 +35,9 @@
application_executable_file(exim_exec_t)
mta_agent_executable(exim_exec_t)
@@ -16429,7 +16750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.8.8/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/fail2ban.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/fail2ban.if 2010-07-30 14:06:53.000000000 -0400
@@ -138,6 +138,26 @@
########################################
@@ -16459,7 +16780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.8.8/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/fail2ban.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/fail2ban.te 2010-07-30 14:06:53.000000000 -0400
@@ -94,5 +94,9 @@
')
@@ -16472,7 +16793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.8.8/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/fetchmail.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/fetchmail.te 2010-07-30 14:06:53.000000000 -0400
@@ -37,8 +37,9 @@
allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
@@ -16486,7 +16807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc
kernel_list_proc(fetchmail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/finger.if serefpolicy-3.8.8/policy/modules/services/finger.if
--- nsaserefpolicy/policy/modules/services/finger.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/finger.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/finger.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -16498,7 +16819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fing
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.8.8/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/fprintd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/fprintd.te 2010-07-30 14:06:53.000000000 -0400
@@ -54,4 +54,5 @@
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
@@ -16507,7 +16828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.8.8/policy/modules/services/ftp.fc
--- nsaserefpolicy/policy/modules/services/ftp.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ftp.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ftp.fc 2010-07-30 14:06:53.000000000 -0400
@@ -29,3 +29,4 @@
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
@@ -16515,7 +16836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.8.8/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ftp.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ftp.te 2010-07-30 14:06:53.000000000 -0400
@@ -40,6 +40,13 @@
## <desc>
@@ -16655,7 +16976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.8.8/policy/modules/services/git.fc
--- nsaserefpolicy/policy/modules/services/git.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/git.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/git.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,3 +1,12 @@
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t, s0)
+HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t, s0)
@@ -16671,7 +16992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.8.8/policy/modules/services/git.if
--- nsaserefpolicy/policy/modules/services/git.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/git.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/git.if 2010-07-30 14:06:53.000000000 -0400
@@ -1 +1,525 @@
-## <summary>GIT revision control system</summary>
+## <summary>Fast Version Control System.</summary>
@@ -17201,7 +17522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.8.8/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/git.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/git.te 2010-07-30 14:06:53.000000000 -0400
@@ -1,8 +1,192 @@
-policy_module(git, 1.0)
+policy_module(git, 1.0.3)
@@ -17400,7 +17721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.8.8/policy/modules/services/gnomeclock.if
--- nsaserefpolicy/policy/modules/services/gnomeclock.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/gnomeclock.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/gnomeclock.if 2010-07-30 14:06:53.000000000 -0400
@@ -63,3 +63,24 @@
allow $1 gnomeclock_t:dbus send_msg;
allow gnomeclock_t $1:dbus send_msg;
@@ -17428,7 +17749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.8.8/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/gpsd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/gpsd.te 2010-07-30 14:06:53.000000000 -0400
@@ -56,6 +56,10 @@
miscfiles_read_localization(gpsd_t)
@@ -17442,7 +17763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.8.8/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/hal.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/hal.if 2010-07-30 14:06:53.000000000 -0400
@@ -377,6 +377,26 @@
########################################
@@ -17472,7 +17793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.8.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/hal.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/hal.te 2010-07-30 14:06:53.000000000 -0400
@@ -54,6 +54,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -17569,7 +17890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
# Local hald dccm policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.8.8/policy/modules/services/hddtemp.fc
--- nsaserefpolicy/policy/modules/services/hddtemp.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/hddtemp.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/hddtemp.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,5 +1,3 @@
/etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0)
@@ -17578,7 +17899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddt
/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.8.8/policy/modules/services/icecast.te
--- nsaserefpolicy/policy/modules/services/icecast.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/icecast.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/icecast.te 2010-07-30 14:06:53.000000000 -0400
@@ -37,6 +37,8 @@
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
@@ -17600,7 +17921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.8.8/policy/modules/services/inetd.if
--- nsaserefpolicy/policy/modules/services/inetd.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/inetd.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/inetd.if 2010-07-30 14:06:53.000000000 -0400
@@ -178,7 +178,7 @@
## </summary>
## <param name="domain">
@@ -17621,7 +17942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.8.8/policy/modules/services/inn.te
--- nsaserefpolicy/policy/modules/services/inn.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/inn.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/inn.te 2010-07-30 14:06:53.000000000 -0400
@@ -56,7 +56,7 @@
manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
@@ -17641,7 +17962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.8.8/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/kerberos.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/kerberos.fc 2010-07-30 14:06:53.000000000 -0400
@@ -8,7 +8,7 @@
/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@@ -17653,7 +17974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.8.8/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/kerberos.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/kerberos.te 2010-07-30 14:06:53.000000000 -0400
@@ -126,10 +126,13 @@
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
@@ -17680,7 +18001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.8.8/policy/modules/services/ksmtuned.fc
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.fc 2010-07-30 14:06:53.000000000 -0400
@@ -3,3 +3,5 @@
/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
@@ -17689,7 +18010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
+/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.8.8/policy/modules/services/ksmtuned.if
--- nsaserefpolicy/policy/modules/services/ksmtuned.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.if 2010-07-30 14:06:53.000000000 -0400
@@ -60,7 +60,7 @@
')
@@ -17701,7 +18022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
admin_pattern($1, ksmtuned_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.8.8/policy/modules/services/ksmtuned.te
--- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.te 2010-07-30 14:06:53.000000000 -0400
@@ -9,6 +9,9 @@
type ksmtuned_exec_t;
init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
@@ -17741,7 +18062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.8.8/policy/modules/services/ldap.fc
--- nsaserefpolicy/policy/modules/services/ldap.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ldap.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ldap.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,6 +1,8 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
@@ -17759,7 +18080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
+#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.8.8/policy/modules/services/ldap.if
--- nsaserefpolicy/policy/modules/services/ldap.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ldap.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ldap.if 2010-07-30 14:06:53.000000000 -0400
@@ -1,5 +1,43 @@
## <summary>OpenLDAP directory server</summary>
@@ -17863,7 +18184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.8.8/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ldap.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ldap.te 2010-07-30 14:06:53.000000000 -0400
@@ -27,9 +27,15 @@
type slapd_replog_t;
files_type(slapd_replog_t)
@@ -17905,7 +18226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
kernel_read_kernel_sysctls(slapd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.8.8/policy/modules/services/lircd.if
--- nsaserefpolicy/policy/modules/services/lircd.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/lircd.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/lircd.if 2010-07-30 14:06:53.000000000 -0400
@@ -45,7 +45,7 @@
## </summary>
## <param name="domain">
@@ -17917,7 +18238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.8.8/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/lircd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/lircd.te 2010-07-30 14:06:53.000000000 -0400
@@ -24,6 +24,7 @@
#
@@ -17946,7 +18267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
dev_rw_lirc(lircd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.te serefpolicy-3.8.8/policy/modules/services/lpd.te
--- nsaserefpolicy/policy/modules/services/lpd.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/lpd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/lpd.te 2010-07-30 14:06:53.000000000 -0400
@@ -145,9 +145,10 @@
manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
@@ -17976,7 +18297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.
fs_read_cifs_symlinks(lpr_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.8.8/policy/modules/services/memcached.if
--- nsaserefpolicy/policy/modules/services/memcached.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/memcached.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/memcached.if 2010-07-30 14:06:53.000000000 -0400
@@ -59,6 +59,7 @@
gen_require(`
type memcached_t;
@@ -17987,7 +18308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc
allow $1 memcached_t:process { ptrace signal_perms };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.8.8/policy/modules/services/milter.if
--- nsaserefpolicy/policy/modules/services/milter.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/milter.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/milter.if 2010-07-30 14:06:53.000000000 -0400
@@ -37,6 +37,8 @@
files_read_etc_files($1_milter_t)
@@ -18024,7 +18345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.fc serefpolicy-3.8.8/policy/modules/services/mock.fc
--- nsaserefpolicy/policy/modules/services/mock.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mock.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mock.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,6 @@
+
+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
@@ -18034,7 +18355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.if serefpolicy-3.8.8/policy/modules/services/mock.if
--- nsaserefpolicy/policy/modules/services/mock.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mock.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mock.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,238 @@
+
+## <summary>policy for mock</summary>
@@ -18276,7 +18597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.te serefpolicy-3.8.8/policy/modules/services/mock.te
--- nsaserefpolicy/policy/modules/services/mock.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mock.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mock.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,98 @@
+policy_module(mock,1.0.0)
+
@@ -18378,7 +18699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.8.8/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/modemmanager.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/modemmanager.te 2010-07-30 14:06:53.000000000 -0400
@@ -16,7 +16,8 @@
# ModemManager local policy
#
@@ -18409,7 +18730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.fc serefpolicy-3.8.8/policy/modules/services/mojomojo.fc
--- nsaserefpolicy/policy/modules/services/mojomojo.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mojomojo.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mojomojo.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,5 @@
+/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
+
@@ -18418,7 +18739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojo
+/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.if serefpolicy-3.8.8/policy/modules/services/mojomojo.if
--- nsaserefpolicy/policy/modules/services/mojomojo.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mojomojo.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mojomojo.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,43 @@
+## <summary>Mojomojo server</summary>
+
@@ -18465,7 +18786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.te serefpolicy-3.8.8/policy/modules/services/mojomojo.te
--- nsaserefpolicy/policy/modules/services/mojomojo.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mojomojo.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mojomojo.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,45 @@
+policy_module(mojomojo, 1.0)
+
@@ -18514,7 +18835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.fc serefpolicy-3.8.8/policy/modules/services/mpd.fc
--- nsaserefpolicy/policy/modules/services/mpd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mpd.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mpd.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,10 @@
+
+/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0)
@@ -18528,7 +18849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.if serefpolicy-3.8.8/policy/modules/services/mpd.if
--- nsaserefpolicy/policy/modules/services/mpd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mpd.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mpd.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,274 @@
+
+## <summary>policy for daemon for playing music</summary>
@@ -18806,7 +19127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.8.8/policy/modules/services/mpd.te
--- nsaserefpolicy/policy/modules/services/mpd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mpd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mpd.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,111 @@
+policy_module(mpd,1.0.0)
+
@@ -18921,7 +19242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.8.8/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mta.fc 2010-07-30 14:06:53.000000000 -0400
@@ -13,6 +13,8 @@
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -18933,7 +19254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-07-30 14:06:53.000000000 -0400
@@ -220,6 +220,25 @@
application_executable_file($1)
')
@@ -19021,9 +19342,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
+@@ -899,3 +920,23 @@
+
+ allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+ ')
++
++########################################
++## <summary>
++## Type transition files created in calling dir
++## to the mail address aliases type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Directory to transition on.
++## </summary>
++## </param>
++#
++interface(`mta_filetrans_aliases',`
++ filetrans_pattern($1, $2, etc_aliases_t, file)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-07-30 14:06:53.000000000 -0400
@@ -21,7 +21,7 @@
files_config_file(etc_mail_t)
@@ -19033,20 +19378,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
-@@ -62,9 +62,9 @@
+@@ -50,22 +50,9 @@
+
+ # newalias required this, not sure if it is needed in 'if' file
+ allow system_mail_t self:capability { dac_override fowner };
+-allow system_mail_t self:fifo_file rw_fifo_file_perms;
+-
+-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
- can_exec(system_mail_t, mta_exec_type)
+ read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
+-allow system_mail_t mail_forward_t:file read_file_perms;
+-
+-allow system_mail_t mta_exec_type:file entrypoint;
+-
+-can_exec(system_mail_t, mta_exec_type)
+-
-kernel_read_system_state(system_mail_t)
-kernel_read_network_state(system_mail_t)
-kernel_request_load_module(system_mail_t)
-+kernel_read_system_state(user_mail_domain)
-+kernel_read_network_state(user_mail_domain)
-+kernel_request_load_module(user_mail_domain)
-
+-
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
-@@ -82,6 +82,9 @@
+ dev_read_urand(system_mail_t)
+@@ -82,6 +69,9 @@
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -19056,7 +19411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,6 +95,12 @@
+@@ -92,6 +82,12 @@
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -19069,7 +19424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -103,6 +112,11 @@
+@@ -103,6 +99,11 @@
')
optional_policy(`
@@ -19081,7 +19436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -111,6 +125,8 @@
+@@ -111,6 +112,8 @@
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -19090,15 +19445,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -130,6 +146,7 @@
+@@ -124,12 +127,8 @@
+ ')
optional_policy(`
+- exim_domtrans(system_mail_t)
+- exim_manage_log(system_mail_t)
+-')
+-
+-optional_policy(`
fail2ban_append_log(system_mail_t)
+ fail2ban_dontaudit_leaks(system_mail_t)
')
optional_policy(`
-@@ -146,6 +163,10 @@
+@@ -146,6 +145,10 @@
')
optional_policy(`
@@ -19109,7 +19470,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
nagios_read_tmp_files(system_mail_t)
')
-@@ -189,6 +210,10 @@
+@@ -158,18 +161,6 @@
+ files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
+
+ domain_use_interactive_fds(system_mail_t)
+-
+- # postfix needs this for newaliases
+- files_getattr_tmp_dirs(system_mail_t)
+-
+- postfix_exec_master(system_mail_t)
+- postfix_read_config(system_mail_t)
+- postfix_search_spool(system_mail_t)
+-
+- ifdef(`distro_redhat',`
+- # compatability for old default main.cf
+- postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
+- ')
+ ')
+
+ optional_policy(`
+@@ -189,6 +180,10 @@
')
optional_policy(`
@@ -19120,7 +19500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -220,6 +245,7 @@
+@@ -220,6 +215,7 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -19128,18 +19508,97 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+@@ -292,3 +288,42 @@
+ postfix_read_config(user_mail_t)
+ postfix_list_spool(user_mail_t)
+ ')
++
++########################################
++#
++# Comman user_mail_domain policy
++#
++
++allow user_mail_domain self:fifo_file rw_fifo_file_perms;
++allow user_mail_domain mta_exec_type:file entrypoint;
++
++can_exec(user_mail_domain, mta_exec_type)
++
++allow system_mail_t user_mail_domain:file read_file_perms;
++
++read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t)
++
++kernel_read_system_state(user_mail_domain)
++kernel_read_network_state(user_mail_domain)
++kernel_request_load_module(user_mail_domain)
++
++
++
++optional_policy(`
++ # postfix needs this for newaliases
++ files_getattr_tmp_dirs(user_mail_domain)
++
++ postfix_exec_master(user_mail_domain)
++ postfix_read_config(user_mail_domain)
++ postfix_search_spool(user_mail_domain)
++
++ ifdef(`distro_redhat',`
++ # compatability for old default main.cf
++ postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
++ ')
++')
++
++optional_policy(`
++ exim_domtrans(user_mail_domain)
++ exim_manage_log(user_mail_domain)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.8.8/policy/modules/services/munin.fc
+--- nsaserefpolicy/policy/modules/services/munin.fc 2010-07-27 16:06:05.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/munin.fc 2010-07-30 14:06:53.000000000 -0400
+@@ -63,6 +63,7 @@
+ /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+
+ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
++/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
+ /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
+ /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+ /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.8.8/policy/modules/services/munin.if
--- nsaserefpolicy/policy/modules/services/munin.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/munin.if 2010-07-27 16:12:03.000000000 -0400
-@@ -36,6 +36,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/munin.if 2010-07-30 14:06:53.000000000 -0400
+@@ -13,10 +13,11 @@
+ #
+ template(`munin_plugin_template',`
+ gen_require(`
+- type munin_t, munin_exec_t, munin_etc_t;
++ type munin_t;
++ attribute munin_plugin_domain;
+ ')
+
+- type $1_munin_plugin_t;
++ type $1_munin_plugin_t, munin_plugin_domain;
+ type $1_munin_plugin_exec_t;
+ typealias $1_munin_plugin_t alias munin_$1_plugin_t;
+ typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
+@@ -36,17 +37,8 @@
# automatic transition rules from munin domain
# to specific munin plugin domain
domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
+ allow munin_t $1_munin_plugin_t:process signal;
- allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
- allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
-@@ -92,6 +93,24 @@
+- allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
+- allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
+-
+- read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t)
+-
+- kernel_read_system_state($1_munin_plugin_t)
+-
+- corecmd_exec_bin($1_munin_plugin_t)
+-
+- miscfiles_read_localization($1_munin_plugin_t)
+ ')
+
+ ########################################
+@@ -92,6 +84,24 @@
files_search_etc($1)
')
@@ -19166,8 +19625,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
## Append to the munin log.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.8.8/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/munin.te 2010-07-27 16:12:03.000000000 -0400
-@@ -40,7 +40,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/munin.te 2010-08-05 16:45:38.000000000 -0400
+@@ -5,6 +5,8 @@
+ # Declarations
+ #
+
++attribute munin_plugin_domain;
++
+ type munin_t alias lrrd_t;
+ type munin_exec_t alias lrrd_exec_t;
+ init_daemon_domain(munin_t, munin_exec_t)
+@@ -24,6 +26,9 @@
+ type munin_var_lib_t alias lrrd_var_lib_t;
+ files_type(munin_var_lib_t)
+
++type munin_plugin_state_t;
++files_type(munin_plugin_state_t)
++
+ type munin_var_run_t alias lrrd_var_run_t;
+ files_pid_file(munin_var_run_t)
+
+@@ -40,7 +45,7 @@
# Local policy
#
@@ -19176,7 +19654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -71,9 +71,10 @@
+@@ -71,9 +76,12 @@
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
files_search_var_lib(munin_t)
@@ -19185,10 +19663,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-files_pid_filetrans(munin_t, munin_var_run_t, file)
+files_pid_filetrans(munin_t, munin_var_run_t, { file dir })
++
++read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
kernel_read_system_state(munin_t)
kernel_read_network_state(munin_t)
-@@ -145,6 +146,7 @@
+@@ -116,6 +124,7 @@
+
+ miscfiles_read_fonts(munin_t)
+ miscfiles_read_localization(munin_t)
++miscfiles_setattr_fonts_cache_dirs(munin_t)
+
+ sysnet_exec_ifconfig(munin_t)
+
+@@ -145,6 +154,7 @@
optional_policy(`
mta_read_config(munin_t)
mta_send_mail(munin_t)
@@ -19196,7 +19684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
mta_read_queue(munin_t)
')
-@@ -159,6 +161,7 @@
+@@ -159,6 +169,7 @@
optional_policy(`
postfix_list_spool(munin_t)
@@ -19204,7 +19692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-@@ -182,6 +185,7 @@
+@@ -182,6 +193,7 @@
# local policy for disk plugins
#
@@ -19212,14 +19700,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -192,13 +196,15 @@
+@@ -190,15 +202,13 @@
- files_read_etc_files(disk_munin_plugin_t)
- files_read_etc_runtime_files(disk_munin_plugin_t)
-+files_read_usr_files(disk_munin_plugin_t)
+ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
- fs_getattr_all_fs(disk_munin_plugin_t)
+-files_read_etc_files(disk_munin_plugin_t)
+ files_read_etc_runtime_files(disk_munin_plugin_t)
+-fs_getattr_all_fs(disk_munin_plugin_t)
+-
+dev_getattr_lvm_control(disk_munin_plugin_t)
dev_read_sysfs(disk_munin_plugin_t)
dev_read_urand(disk_munin_plugin_t)
@@ -19229,7 +19718,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
sysnet_read_config(disk_munin_plugin_t)
-@@ -229,11 +235,13 @@
+@@ -221,19 +231,17 @@
+
+ dev_read_urand(mail_munin_plugin_t)
+
+-files_read_etc_files(mail_munin_plugin_t)
+-
+-fs_getattr_all_fs(mail_munin_plugin_t)
+-
+ logging_read_generic_logs(mail_munin_plugin_t)
mta_read_config(mail_munin_plugin_t)
mta_send_mail(mail_munin_plugin_t)
@@ -19243,16 +19740,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-@@ -249,6 +257,8 @@
- allow services_munin_plugin_t self:udp_socket create_socket_perms;
- allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -255,10 +263,6 @@
+ dev_read_urand(services_munin_plugin_t)
+ dev_read_rand(services_munin_plugin_t)
-+corecmd_exec_shell(services_munin_plugin_t)
-+
- corenet_tcp_connect_all_ports(services_munin_plugin_t)
- corenet_tcp_connect_http_port(services_munin_plugin_t)
+-fs_getattr_all_fs(services_munin_plugin_t)
+-
+-files_read_etc_files(services_munin_plugin_t)
+-
+ sysnet_read_config(services_munin_plugin_t)
-@@ -286,6 +296,10 @@
+ optional_policy(`
+@@ -286,6 +290,10 @@
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -19263,24 +19762,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
##################################
#
# local policy for system plugins
-@@ -300,6 +314,8 @@
-
- corecmd_exec_shell(system_munin_plugin_t)
-
-+files_read_etc_files(system_munin_plugin_t)
-+
- fs_getattr_all_fs(system_munin_plugin_t)
+@@ -298,10 +306,6 @@
+ kernel_read_network_state(system_munin_plugin_t)
+ kernel_read_all_sysctls(system_munin_plugin_t)
+-corecmd_exec_shell(system_munin_plugin_t)
+-
+-fs_getattr_all_fs(system_munin_plugin_t)
+-
dev_read_sysfs(system_munin_plugin_t)
-@@ -313,3 +329,5 @@
+ dev_read_urand(system_munin_plugin_t)
+
+@@ -313,3 +317,29 @@
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
+term_getattr_all_ptys(system_munin_plugin_t)
+
++################################
++#
++# local policy for munin plugin domains
++#
++
++allow munin_plugin_domain munin_exec_t:file read_file_perms;
++allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
++
++# creates plugin state files
++manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
++
++read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
++
++kernel_read_system_state(munin_plugin_domain)
++
++corecmd_exec_bin(munin_plugin_domain)
++corecmd_exec_shell(munin_plugin_domain)
++
++files_read_etc_files(munin_plugin_domain)
++files_read_usr_files(munin_plugin_domain)
++
++fs_getattr_all_fs(munin_plugin_domain)
++
++miscfiles_read_localization(munin_plugin_domain)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.8.8/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mysql.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mysql.te 2010-07-30 14:06:53.000000000 -0400
@@ -64,6 +64,7 @@
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -19319,7 +19844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.8.8/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nagios.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nagios.if 2010-07-30 14:06:53.000000000 -0400
@@ -159,6 +159,26 @@
########################################
@@ -19349,7 +19874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.8.8/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nagios.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nagios.te 2010-07-30 14:06:53.000000000 -0400
@@ -107,13 +107,11 @@
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
@@ -19385,7 +19910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.8.8/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/networkmanager.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/networkmanager.fc 2010-07-30 14:06:53.000000000 -0400
@@ -2,6 +2,10 @@
/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -19399,7 +19924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.8.8/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/networkmanager.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/networkmanager.if 2010-07-30 14:06:53.000000000 -0400
@@ -137,6 +137,27 @@
########################################
@@ -19481,7 +20006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.8.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/networkmanager.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/networkmanager.te 2010-07-30 14:06:53.000000000 -0400
@@ -35,7 +35,7 @@
# networkmanager will ptrace itself if gdb is installed
@@ -19574,7 +20099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.8.8/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nis.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nis.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,5 +1,5 @@
/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
@@ -19592,7 +20117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.8.8/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nis.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nis.if 2010-08-05 14:51:55.000000000 -0400
@@ -19,7 +19,7 @@
## </desc>
## <param name="domain">
@@ -19602,9 +20127,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
## </summary>
## </param>
#
+@@ -49,12 +49,12 @@
+ corenet_udp_bind_generic_node($1)
+ corenet_tcp_bind_generic_port($1)
+ corenet_udp_bind_generic_port($1)
+- corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+- corenet_dontaudit_udp_bind_all_reserved_ports($1)
++ corenet_tcp_bind_all_rpc_ports($1)
++ corenet_udp_bind_all_rpc_ports($1)
+ corenet_dontaudit_tcp_bind_all_ports($1)
+ corenet_dontaudit_udp_bind_all_ports($1)
+ corenet_tcp_connect_portmap_port($1)
+- corenet_tcp_connect_reserved_port($1)
++ corenet_tcp_connect_all_reserved_ports($1)
+ corenet_tcp_connect_generic_port($1)
+ corenet_dontaudit_tcp_connect_all_ports($1)
+ corenet_sendrecv_portmap_client_packets($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.8.8/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nscd.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nscd.if 2010-07-30 14:06:53.000000000 -0400
@@ -60,7 +60,7 @@
## </summary>
## <param name="domain">
@@ -19650,7 +20191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.8.8/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nscd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nscd.te 2010-07-30 14:06:53.000000000 -0400
@@ -1,9 +1,16 @@
-policy_module(nscd, 1.10.0)
+policy_module(nscd, 1.10.1)
@@ -19728,7 +20269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.8.8/policy/modules/services/nslcd.if
--- nsaserefpolicy/policy/modules/services/nslcd.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nslcd.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nslcd.if 2010-07-30 14:06:53.000000000 -0400
@@ -24,7 +24,7 @@
## </summary>
## <param name="domain">
@@ -19740,7 +20281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslc
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.8.8/policy/modules/services/nslcd.te
--- nsaserefpolicy/policy/modules/services/nslcd.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nslcd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nslcd.te 2010-07-30 14:06:53.000000000 -0400
@@ -34,6 +34,8 @@
manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
@@ -19752,7 +20293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslc
auth_use_nsswitch(nslcd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.8.8/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ntp.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ntp.if 2010-07-30 14:06:53.000000000 -0400
@@ -22,7 +22,7 @@
## </summary>
## <param name="domain">
@@ -19791,7 +20332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.8.8/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ntp.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ntp.te 2010-07-30 14:06:53.000000000 -0400
@@ -96,9 +96,12 @@
dev_read_sysfs(ntpd_t)
# for SSP
@@ -19807,7 +20348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.8.8/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nut.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nut.te 2010-07-30 14:06:53.000000000 -0400
@@ -41,7 +41,7 @@
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
@@ -19830,7 +20371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
# Local policy for upsdrvctl
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.8.8/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nx.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nx.if 2010-07-30 14:06:53.000000000 -0400
@@ -35,6 +35,7 @@
allow $1 nx_server_var_lib_t:dir search_dir_perms;
@@ -19841,7 +20382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.8.8/policy/modules/services/nx.te
--- nsaserefpolicy/policy/modules/services/nx.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nx.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nx.te 2010-07-30 14:06:53.000000000 -0400
@@ -27,6 +27,9 @@
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
@@ -19864,7 +20405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.8.8/policy/modules/services/oddjob.fc
--- nsaserefpolicy/policy/modules/services/oddjob.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/oddjob.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/oddjob.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,4 +1,5 @@
/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
@@ -19873,8 +20414,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.8.8/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/oddjob.if 2010-07-27 16:12:03.000000000 -0400
-@@ -44,6 +44,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/oddjob.if 2010-08-10 05:23:35.000000000 -0400
+@@ -22,6 +22,25 @@
+ domtrans_pattern($1, oddjob_exec_t, oddjob_t)
+ ')
+
++#####################################
++## <summary>
++## Do not audit attempts to read and write
++## oddjob fifo file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`oddjob_dontaudit_rw_fifo_file',`
++ gen_require(`
++ type shutdown_t;
++ ')
++
++ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Make the specified program domain accessable
+@@ -44,6 +63,7 @@
')
domtrans_pattern(oddjob_t, $2, $1)
@@ -19882,9 +20449,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
')
########################################
+@@ -67,6 +87,24 @@
+ allow oddjob_t $1:dbus send_msg;
+ ')
+
++######################################
++## <summary>
++## Send a SIGCHLD signal to oddjob.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`oddjob_sigchld',`
++ gen_require(`
++ type oddjob_t;
++ ')
++
++ allow $1 oddjob_t:process sigchld;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute a domain transition to run oddjob_mkhomedir.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.8.8/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/oddjob.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/oddjob.te 2010-07-30 14:06:53.000000000 -0400
@@ -99,8 +99,7 @@
# Add/remove user home directories
@@ -19898,7 +20490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oident.te serefpolicy-3.8.8/policy/modules/services/oident.te
--- nsaserefpolicy/policy/modules/services/oident.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/oident.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/oident.te 2010-07-30 14:06:53.000000000 -0400
@@ -48,6 +48,7 @@
kernel_read_network_state(oidentd_t)
kernel_read_network_state_symlinks(oidentd_t)
@@ -19909,7 +20501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oide
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.8.8/policy/modules/services/openct.te
--- nsaserefpolicy/policy/modules/services/openct.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/openct.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/openct.te 2010-07-30 14:06:53.000000000 -0400
@@ -20,9 +20,10 @@
dontaudit openct_t self:capability sys_tty_config;
allow openct_t self:process signal_perms;
@@ -19924,7 +20516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
kernel_list_proc(openct_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.8.8/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/openvpn.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/openvpn.te 2010-07-30 14:06:53.000000000 -0400
@@ -24,6 +24,9 @@
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -19957,9 +20549,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
tunable_policy(`openvpn_enable_homedirs',`
userdom_read_user_home_content_files(openvpn_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.8.8/policy/modules/services/pcscd.te
+--- nsaserefpolicy/policy/modules/services/pcscd.te 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/pcscd.te 2010-08-04 14:25:34.000000000 -0400
+@@ -44,7 +44,8 @@
+ dev_rw_generic_usb_dev(pcscd_t)
+ dev_rw_smartcard(pcscd_t)
+ dev_rw_usbfs(pcscd_t)
+-dev_search_sysfs(pcscd_t)
++dev_list_sysfs(pcscd_t)
++dev_read_sysfs(pcscd_t)
+
+ files_read_etc_files(pcscd_t)
+ files_read_etc_runtime_files(pcscd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.8.8/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/pegasus.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/pegasus.te 2010-07-30 14:06:53.000000000 -0400
@@ -29,7 +29,7 @@
# Local policy
#
@@ -20043,7 +20648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/perdition.if serefpolicy-3.8.8/policy/modules/services/perdition.if
--- nsaserefpolicy/policy/modules/services/perdition.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/perdition.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/perdition.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -20055,8 +20660,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/perd
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.fc serefpolicy-3.8.8/policy/modules/services/piranha.fc
--- nsaserefpolicy/policy/modules/services/piranha.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/piranha.fc 2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,21 @@
++++ serefpolicy-3.8.8/policy/modules/services/piranha.fc 2010-08-04 13:10:54.000000000 -0400
+@@ -0,0 +1,26 @@
+
+/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
+
@@ -20065,11 +20670,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+
+/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
++/usr/bin/paster -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
++
+/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0)
+/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
+/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
+/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
+
++/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0)
++/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
++/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
++
+/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0)
+
+/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
@@ -20077,10 +20688,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0)
+/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0)
+
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.if serefpolicy-3.8.8/policy/modules/services/piranha.if
--- nsaserefpolicy/policy/modules/services/piranha.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/piranha.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/piranha.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,175 @@
+
+## <summary>policy for piranha</summary>
@@ -20259,8 +20869,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.8.8/policy/modules/services/piranha.te
--- nsaserefpolicy/policy/modules/services/piranha.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/piranha.te 2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,188 @@
++++ serefpolicy-3.8.8/policy/modules/services/piranha.te 2010-08-10 05:23:35.000000000 -0400
+@@ -0,0 +1,216 @@
+policy_module(piranha,1.0.0)
+
+########################################
@@ -20291,6 +20901,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+type piranha_web_tmpfs_t;
+files_tmpfs_file(piranha_web_tmpfs_t)
+
++type piranha_web_conf_t;
++files_type(piranha_web_conf_t)
++
++type piranha_web_data_t;
++files_type(piranha_web_data_t)
++
++type piranha_web_tmp_t;
++files_tmp_file(piranha_web_tmp_t)
++
+type piranha_etc_rw_t;
+files_type(piranha_etc_rw_t)
+
@@ -20317,19 +20936,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+#
+
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
-+allow piranha_web_t self:process { getsched setsched signal ptrace };
++allow piranha_web_t self:process { getsched setsched signal signull ptrace };
+allow piranha_web_t self:rawip_socket create_socket_perms;
+
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
+allow piranha_web_t self:sem create_sem_perms;
+allow piranha_web_t self:shm create_shm_perms;
+
++manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
++manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
++files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
++
++read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
++
+rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
+
+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } )
+
++can_exec(piranha_web_t, piranha_web_tmp_t)
++manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
++manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
++files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
++
+manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
@@ -20338,7 +20968,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+
+kernel_read_kernel_sysctls(piranha_web_t)
+
++corenet_tcp_bind_http_cache_port(piranha_web_t)
++corenet_tcp_bind_luci_port(piranha_web_t)
+corenet_tcp_bind_piranha_port(piranha_web_t)
++corenet_tcp_connect_ricci_port(piranha_web_t)
+
+dev_read_urand(piranha_web_t)
+
@@ -20349,10 +20982,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+consoletype_exec(piranha_web_t)
+
+optional_policy(`
++ apache_read_config(piranha_web_t)
+ apache_exec_modules(piranha_web_t)
+ apache_exec(piranha_web_t)
+')
+
++optional_policy(`
++ sasl_connect(piranha_web_t)
++')
++
+######################################
+#
+# piranha-lvs local policy
@@ -20451,7 +21089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+sysnet_read_config(piranha_domain)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.8.8/policy/modules/services/plymouthd.te
--- nsaserefpolicy/policy/modules/services/plymouthd.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/plymouthd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/plymouthd.te 2010-07-30 14:06:53.000000000 -0400
@@ -60,10 +60,14 @@
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
@@ -20477,7 +21115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.8.8/policy/modules/services/policykit.fc
--- nsaserefpolicy/policy/modules/services/policykit.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/policykit.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/policykit.fc 2010-07-30 14:06:53.000000000 -0400
@@ -6,10 +6,13 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@@ -20495,7 +21133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.8.8/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/policykit.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/policykit.if 2010-07-30 14:06:53.000000000 -0400
@@ -17,12 +17,37 @@
class dbus send_msg;
')
@@ -20594,7 +21232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.8.8/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-10 11:37:04.000000000 -0400
@@ -24,6 +24,9 @@
type policykit_reload_t alias polkit_reload_t;
files_type(policykit_reload_t)
@@ -20639,7 +21277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
auth_use_nsswitch(policykit_t)
-@@ -67,45 +77,82 @@
+@@ -67,45 +77,84 @@
miscfiles_read_localization(policykit_t)
@@ -20681,6 +21319,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
+policykit_dbus_chat(policykit_auth_t)
+
++kernel_read_system_state(policykit_auth_t)
++
can_exec(policykit_auth_t, policykit_auth_exec_t)
-corecmd_search_bin(policykit_auth_t)
+corecmd_exec_bin(policykit_auth_t)
@@ -20728,7 +21368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,6 +165,14 @@
+@@ -118,6 +167,14 @@
hal_read_state(policykit_auth_t)
')
@@ -20743,7 +21383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
########################################
#
# polkit_grant local policy
-@@ -125,7 +180,8 @@
+@@ -125,7 +182,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -20753,7 +21393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -155,9 +211,12 @@
+@@ -155,9 +213,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -20767,7 +21407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -169,7 +228,8 @@
+@@ -169,7 +230,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -20779,7 +21419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.if serefpolicy-3.8.8/policy/modules/services/portmap.if
--- nsaserefpolicy/policy/modules/services/portmap.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/portmap.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/portmap.if 2010-07-30 14:06:53.000000000 -0400
@@ -52,7 +52,7 @@
## </summary>
## <param name="domain">
@@ -20800,7 +21440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.8.8/policy/modules/services/portreserve.fc
--- nsaserefpolicy/policy/modules/services/portreserve.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/portreserve.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/portreserve.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,3 +1,6 @@
+
+/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
@@ -20810,7 +21450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.8.8/policy/modules/services/portreserve.if
--- nsaserefpolicy/policy/modules/services/portreserve.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/portreserve.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/portreserve.if 2010-07-30 14:06:53.000000000 -0400
@@ -18,6 +18,24 @@
domtrans_pattern($1, portreserve_exec_t, portreserve_t)
')
@@ -20879,7 +21519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.8.8/policy/modules/services/portreserve.te
--- nsaserefpolicy/policy/modules/services/portreserve.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/portreserve.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/portreserve.te 2010-07-30 14:06:53.000000000 -0400
@@ -9,6 +9,9 @@
type portreserve_exec_t;
init_daemon_domain(portreserve_t, portreserve_exec_t)
@@ -20907,7 +21547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
+userdom_dontaudit_search_user_home_content(portreserve_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.8.8/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postfix.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,4 +1,5 @@
# postfix
+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
@@ -20929,7 +21569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.8.8/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postfix.if 2010-07-30 14:06:53.000000000 -0400
@@ -376,6 +376,25 @@
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
@@ -21140,7 +21780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.8.8/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postfix.te 2010-07-30 14:06:53.000000000 -0400
@@ -5,6 +5,15 @@
# Declarations
#
@@ -21224,7 +21864,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_type(postfix_spool_flush_t)
type postfix_public_t;
-@@ -150,6 +172,9 @@
+@@ -99,7 +121,9 @@
+ allow postfix_master_t self:udp_socket create_socket_perms;
+ allow postfix_master_t self:process setrlimit;
+
++allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
+ allow postfix_master_t postfix_etc_t:file rw_file_perms;
++mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
+
+ can_exec(postfix_master_t, postfix_exec_t)
+
+@@ -150,6 +174,9 @@
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -21234,7 +21884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +192,8 @@
+@@ -167,6 +194,8 @@
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -21243,7 +21893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
term_dontaudit_search_ptys(postfix_master_t)
-@@ -304,9 +331,17 @@
+@@ -304,9 +333,17 @@
')
optional_policy(`
@@ -21261,7 +21911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix map local policy
-@@ -420,6 +455,7 @@
+@@ -420,6 +457,7 @@
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -21269,7 +21919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -588,6 +624,11 @@
+@@ -588,6 +626,11 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -21281,7 +21931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
-@@ -630,3 +671,8 @@
+@@ -630,3 +673,8 @@
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -21292,7 +21942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.8.8/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postgresql.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postgresql.if 2010-07-30 14:06:53.000000000 -0400
@@ -223,7 +223,7 @@
## </summary>
## <param name="domain">
@@ -21304,7 +21954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.8.8/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postgresql.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postgresql.te 2010-07-30 14:06:53.000000000 -0400
@@ -202,9 +202,10 @@
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -21319,7 +21969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
kernel_read_system_state(postgresql_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.8.8/policy/modules/services/postgrey.te
--- nsaserefpolicy/policy/modules/services/postgrey.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postgrey.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postgrey.te 2010-07-30 14:06:53.000000000 -0400
@@ -47,9 +47,10 @@
manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
@@ -21334,7 +21984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
kernel_read_kernel_sysctls(postgrey_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.8.8/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ppp.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ppp.if 2010-07-30 14:06:53.000000000 -0400
@@ -326,7 +326,7 @@
## </summary>
## <param name="domain">
@@ -21346,7 +21996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.8.8/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ppp.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ppp.te 2010-07-30 14:06:53.000000000 -0400
@@ -70,7 +70,7 @@
# PPPD Local policy
#
@@ -21390,7 +22040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
kernel_read_kernel_sysctls(pptp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.8.8/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/prelude.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/prelude.te 2010-07-30 14:06:53.000000000 -0400
@@ -72,9 +72,10 @@
manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
files_search_var_lib(prelude_t)
@@ -21405,7 +22055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
kernel_read_sysctl(prelude_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.8.8/policy/modules/services/procmail.fc
--- nsaserefpolicy/policy/modules/services/procmail.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/procmail.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/procmail.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,3 +1,5 @@
+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
@@ -21414,7 +22064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.8.8/policy/modules/services/procmail.if
--- nsaserefpolicy/policy/modules/services/procmail.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/procmail.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/procmail.if 2010-07-30 14:06:53.000000000 -0400
@@ -77,3 +77,23 @@
files_search_tmp($1)
rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
@@ -21441,7 +22091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.8.8/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/procmail.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/procmail.te 2010-07-30 14:06:53.000000000 -0400
@@ -10,6 +10,9 @@
application_domain(procmail_t, procmail_exec_t)
role system_r types procmail_t;
@@ -21492,7 +22142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.8.8/policy/modules/services/psad.if
--- nsaserefpolicy/policy/modules/services/psad.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/psad.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/psad.if 2010-07-30 14:06:53.000000000 -0400
@@ -176,6 +176,26 @@
########################################
@@ -21531,7 +22181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
allow $1 psad_t:process { ptrace signal_perms };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.8.8/policy/modules/services/psad.te
--- nsaserefpolicy/policy/modules/services/psad.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/psad.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/psad.te 2010-07-30 14:06:53.000000000 -0400
@@ -53,9 +53,10 @@
logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
@@ -21554,7 +22204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.8.8/policy/modules/services/puppet.te
--- nsaserefpolicy/policy/modules/services/puppet.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/puppet.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/puppet.te 2010-07-30 14:06:53.000000000 -0400
@@ -63,7 +63,7 @@
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib(puppet_t)
@@ -21613,7 +22263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.8.8/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/pyzor.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/pyzor.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,6 +1,10 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
@@ -21627,7 +22277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.8.8/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/pyzor.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/pyzor.if 2010-07-30 14:06:53.000000000 -0400
@@ -88,3 +88,50 @@
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
@@ -21681,7 +22331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.8.8/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/pyzor.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/pyzor.te 2010-07-30 14:06:53.000000000 -0400
@@ -5,6 +5,38 @@
# Declarations
#
@@ -21748,7 +22398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.fc serefpolicy-3.8.8/policy/modules/services/qpidd.fc
--- nsaserefpolicy/policy/modules/services/qpidd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/qpidd.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/qpidd.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,9 @@
+
+/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
@@ -21761,7 +22411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.if serefpolicy-3.8.8/policy/modules/services/qpidd.if
--- nsaserefpolicy/policy/modules/services/qpidd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/qpidd.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/qpidd.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,236 @@
+
+## <summary>policy for qpidd</summary>
@@ -22001,7 +22651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.8.8/policy/modules/services/qpidd.te
--- nsaserefpolicy/policy/modules/services/qpidd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/qpidd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/qpidd.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,59 @@
+policy_module(qpidd,1.0.0)
+
@@ -22064,7 +22714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+sysnet_dns_name_resolve(qpidd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.8.8/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/radius.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/radius.te 2010-07-30 14:06:53.000000000 -0400
@@ -36,7 +36,7 @@
# gzip also needs chown access to preserve GID for radwtmp files
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
@@ -22087,7 +22737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
kernel_read_system_state(radiusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.8.8/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/radvd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/radvd.te 2010-07-30 14:06:53.000000000 -0400
@@ -33,8 +33,9 @@
allow radvd_t radvd_etc_t:file read_file_perms;
@@ -22101,7 +22751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv
kernel_rw_net_sysctls(radvd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.8.8/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/razor.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/razor.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
@@ -22109,7 +22759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.8.8/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/razor.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/razor.if 2010-07-30 14:06:53.000000000 -0400
@@ -157,3 +157,45 @@
domtrans_pattern($1, razor_exec_t, razor_t)
@@ -22158,7 +22808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.8.8/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/razor.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/razor.te 2010-07-30 14:06:53.000000000 -0400
@@ -5,6 +5,32 @@
# Declarations
#
@@ -22220,7 +22870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.8.8/policy/modules/services/remotelogin.if
--- nsaserefpolicy/policy/modules/services/remotelogin.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/remotelogin.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/remotelogin.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -22241,7 +22891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.8.8/policy/modules/services/rgmanager.fc
--- nsaserefpolicy/policy/modules/services/rgmanager.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rgmanager.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+
@@ -22250,7 +22900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.8.8/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rgmanager.if 2010-07-30 14:06:53.000000000 -0400
@@ -75,3 +75,64 @@
fs_search_tmpfs($1)
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
@@ -22318,7 +22968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.8.8/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rgmanager.te 2010-07-30 14:06:53.000000000 -0400
@@ -17,6 +17,9 @@
domain_type(rgmanager_t)
init_daemon_domain(rgmanager_t, rgmanager_exec_t)
@@ -22378,9 +23028,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.8.8/policy/modules/services/rhcs.fc
+--- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rhcs.fc 2010-08-10 11:56:57.000000000 -0400
+@@ -1,6 +1,7 @@
+ /usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+ /usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+ /usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+ /usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+ /usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+ /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.8.8/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rhcs.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rhcs.if 2010-07-30 14:06:53.000000000 -0400
@@ -14,6 +14,8 @@
template(`rhcs_domain_template',`
gen_require(`
@@ -22498,7 +23159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.8.8/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rhcs.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rhcs.te 2010-07-30 14:06:53.000000000 -0400
@@ -13,6 +13,8 @@
gen_tunable(fenced_can_network_connect, false)
@@ -22589,7 +23250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-3.8.8/policy/modules/services/rhgb.if
--- nsaserefpolicy/policy/modules/services/rhgb.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rhgb.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rhgb.if 2010-08-03 15:21:15.000000000 -0400
@@ -22,7 +22,7 @@
## </summary>
## <param name="domain">
@@ -22646,7 +23307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-3.8.8/policy/modules/services/ricci.fc
--- nsaserefpolicy/policy/modules/services/ricci.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ricci.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ricci.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,3 +1,6 @@
+
+/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
@@ -22656,7 +23317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.8.8/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ricci.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ricci.if 2010-08-10 05:23:35.000000000 -0400
@@ -18,6 +18,24 @@
domtrans_pattern($1, ricci_exec_t, ricci_t)
')
@@ -22682,11 +23343,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
########################################
## <summary>
## Execute a domain transition to run ricci_modcluster.
-@@ -165,3 +183,48 @@
+@@ -96,6 +114,24 @@
+
+ ########################################
+ ## <summary>
++## Read and write to ricci_modcluserd temporary file system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ricci_rw_modclusterd_tmpfs_files',`
++ gen_require(`
++ type ricci_modcluserd_tmpfs_t;
++ ')
++
++ allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms;
++')
++
++########################################
++## <summary>
+ ## Execute a domain transition to run ricci_modlog.
+ ## </summary>
+ ## <param name="domain">
+@@ -165,3 +201,67 @@
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
+
++####################################
++## <summary>
++## Allow the specified domain to manage ricci's lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ricci_manage_lib_files',`
++ gen_require(`
++ type ricci_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
++ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
++')
+
+########################################
+## <summary>
@@ -22733,7 +23438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.8.8/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ricci.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ricci.te 2010-08-10 05:23:35.000000000 -0400
@@ -10,6 +10,9 @@
domain_type(ricci_t)
init_daemon_domain(ricci_t, ricci_exec_t)
@@ -22744,7 +23449,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
type ricci_tmp_t;
files_tmp_file(ricci_tmp_t)
-@@ -241,6 +244,10 @@
+@@ -42,6 +45,9 @@
+ domain_type(ricci_modclusterd_t)
+ init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
+
++type ricci_modclusterd_tmpfs_t;
++files_tmpfs_file(ricci_modclusterd_tmpfs_t)
++
+ type ricci_modlog_t;
+ type ricci_modlog_exec_t;
+ domain_type(ricci_modlog_t)
+@@ -105,6 +111,7 @@
+ files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
+
+ kernel_read_kernel_sysctls(ricci_t)
++kernel_read_system_state(ricci_t)
+
+ corecmd_exec_bin(ricci_t)
+
+@@ -170,6 +177,10 @@
+ ')
+
+ optional_policy(`
++ shutdown_domtrans(ricci_t)
++')
++
++optional_policy(`
+ unconfined_use_fds(ricci_t)
+ ')
+
+@@ -241,6 +252,10 @@
')
optional_policy(`
@@ -22755,7 +23489,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
# XXX This has got to go.
unconfined_domain(ricci_modcluster_t)
')
-@@ -444,6 +451,12 @@
+@@ -261,6 +276,10 @@
+ allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
+ allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
+
++manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
++manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
++fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
++
+ allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
+ manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
+ manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
+@@ -272,6 +291,7 @@
+
+ kernel_read_kernel_sysctls(ricci_modclusterd_t)
+ kernel_read_system_state(ricci_modclusterd_t)
++kernel_request_load_module(ricci_modclusterd_t)
+
+ corecmd_exec_bin(ricci_modclusterd_t)
+
+@@ -444,6 +464,12 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -22770,7 +23523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
term_dontaudit_use_console(ricci_modstorage_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.fc serefpolicy-3.8.8/policy/modules/services/rlogin.fc
--- nsaserefpolicy/policy/modules/services/rlogin.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rlogin.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rlogin.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,4 +1,7 @@
HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
@@ -22781,7 +23534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.if serefpolicy-3.8.8/policy/modules/services/rlogin.if
--- nsaserefpolicy/policy/modules/services/rlogin.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rlogin.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rlogin.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -22793,7 +23546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.8.8/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rlogin.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rlogin.te 2010-07-30 14:06:53.000000000 -0400
@@ -43,7 +43,6 @@
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
@@ -22814,7 +23567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
remotelogin_signal(rlogind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.8.8/policy/modules/services/rpcbind.if
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rpcbind.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rpcbind.if 2010-07-30 14:06:53.000000000 -0400
@@ -141,7 +141,7 @@
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
@@ -22826,7 +23579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb
allow $2 system_r;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.8.8/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rpcbind.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rpcbind.te 2010-07-30 14:06:53.000000000 -0400
@@ -71,3 +71,7 @@
ifdef(`hide_broken_symptoms',`
dontaudit rpcbind_t self:udp_socket listen;
@@ -22837,7 +23590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.8.8/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rpc.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rpc.if 2010-07-30 14:06:53.000000000 -0400
@@ -128,7 +128,7 @@
## </summary>
## <param name="domain">
@@ -22927,7 +23680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.8.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rpc.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rpc.te 2010-07-30 14:06:53.000000000 -0400
@@ -63,8 +63,9 @@
allow rpcd_t self:fifo_file rw_fifo_file_perms;
@@ -22993,7 +23746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.if serefpolicy-3.8.8/policy/modules/services/rshd.if
--- nsaserefpolicy/policy/modules/services/rshd.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rshd.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rshd.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -23005,7 +23758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.8.8/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rshd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rshd.te 2010-07-30 14:06:53.000000000 -0400
@@ -66,6 +66,7 @@
seutil_read_default_contexts(rshd_t)
@@ -23016,7 +23769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
fs_read_nfs_files(rshd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.8.8/policy/modules/services/rsync.if
--- nsaserefpolicy/policy/modules/services/rsync.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rsync.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rsync.if 2010-07-30 14:06:53.000000000 -0400
@@ -119,7 +119,7 @@
type rsync_etc_t;
')
@@ -23079,7 +23832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.8.8/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rsync.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rsync.te 2010-07-30 14:06:53.000000000 -0400
@@ -7,6 +7,13 @@
## <desc>
@@ -23141,7 +23894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
auth_can_read_shadow_passwords(rsync_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.8.8/policy/modules/services/rtkit.if
--- nsaserefpolicy/policy/modules/services/rtkit.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rtkit.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rtkit.if 2010-07-30 14:06:53.000000000 -0400
@@ -41,6 +41,27 @@
########################################
@@ -23172,7 +23925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.8.8/policy/modules/services/rtkit.te
--- nsaserefpolicy/policy/modules/services/rtkit.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rtkit.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rtkit.te 2010-07-30 14:06:53.000000000 -0400
@@ -8,6 +8,7 @@
type rtkit_daemon_t;
type rtkit_daemon_exec_t;
@@ -23183,7 +23936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.8.8/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/samba.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/samba.fc 2010-07-30 14:06:53.000000000 -0400
@@ -51,3 +51,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
@@ -23194,7 +23947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.8.8/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/samba.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/samba.if 2010-07-30 14:06:53.000000000 -0400
@@ -10,7 +10,7 @@
## </summary>
## <param name="domain">
@@ -23449,7 +24202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.8.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-07-30 14:06:53.000000000 -0400
@@ -152,9 +152,6 @@
type winbind_log_t;
logging_log_file(winbind_log_t)
@@ -23627,7 +24380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.8.8/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sasl.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/sasl.te 2010-07-30 14:06:53.000000000 -0400
@@ -42,13 +42,17 @@
manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
@@ -23649,7 +24402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
corenet_tcp_sendrecv_generic_if(saslauthd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.fc serefpolicy-3.8.8/policy/modules/services/sendmail.fc
--- nsaserefpolicy/policy/modules/services/sendmail.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sendmail.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/sendmail.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,4 +1,6 @@
+/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
@@ -23659,7 +24412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.8.8/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sendmail.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/sendmail.if 2010-07-30 14:06:53.000000000 -0400
@@ -57,6 +57,24 @@
allow sendmail_t $1:process sigchld;
')
@@ -23738,7 +24491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.8.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sendmail.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/sendmail.te 2010-07-30 14:06:53.000000000 -0400
@@ -19,6 +19,9 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -23803,7 +24556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.8.8/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/setroubleshoot.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/setroubleshoot.if 2010-07-30 14:06:53.000000000 -0400
@@ -105,6 +105,25 @@
########################################
@@ -23850,7 +24603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
admin_pattern($1, setroubleshoot_var_lib_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.8.8/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/setroubleshoot.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/setroubleshoot.te 2010-07-30 14:06:53.000000000 -0400
@@ -32,6 +32,8 @@
allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
@@ -23914,7 +24667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
rpm_read_db(setroubleshoot_fixit_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.8.8/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/smartmon.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/smartmon.te 2010-08-05 14:48:00.000000000 -0400
@@ -82,6 +82,8 @@
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
@@ -23926,7 +24679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.8.8/policy/modules/services/smokeping.te
--- nsaserefpolicy/policy/modules/services/smokeping.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/smokeping.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/smokeping.te 2010-07-30 14:06:53.000000000 -0400
@@ -23,6 +23,7 @@
# smokeping local policy
#
@@ -23945,7 +24698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.8.8/policy/modules/services/snmp.fc
--- nsaserefpolicy/policy/modules/services/snmp.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/snmp.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/snmp.fc 2010-07-30 14:06:53.000000000 -0400
@@ -18,7 +18,7 @@
/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0)
@@ -23957,7 +24710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.8.8/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/snmp.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/snmp.te 2010-07-30 14:06:53.000000000 -0400
@@ -24,7 +24,7 @@
#
# Local policy
@@ -23988,7 +24741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
auth_read_all_dirs_except_shadow(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.8.8/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/snort.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/snort.te 2010-07-30 14:06:53.000000000 -0400
@@ -61,6 +61,7 @@
kernel_read_proc_symlinks(snort_t)
kernel_request_load_module(snort_t)
@@ -24007,7 +24760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor
dev_rw_generic_usb_dev(snort_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.8.8/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/spamassassin.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/spamassassin.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,15 +1,26 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -24039,7 +24792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.8.8/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/spamassassin.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/spamassassin.if 2010-07-30 14:06:53.000000000 -0400
@@ -64,7 +64,7 @@
## </summary>
## <param name="domain">
@@ -24186,7 +24939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.8.8/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/spamassassin.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/spamassassin.te 2010-07-30 14:06:53.000000000 -0400
@@ -19,6 +19,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
@@ -24488,7 +25241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.8.8/policy/modules/services/squid.if
--- nsaserefpolicy/policy/modules/services/squid.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/squid.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/squid.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -24509,7 +25262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.8.8/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ssh.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ssh.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,4 +1,9 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
@@ -24530,7 +25283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.8.8/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ssh.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ssh.if 2010-07-30 14:06:53.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -24712,7 +25465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.8.8/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ssh.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ssh.te 2010-07-30 14:06:53.000000000 -0400
@@ -19,6 +19,13 @@
## </desc>
gen_tunable(ssh_sysadm_login, false)
@@ -24954,7 +25707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.8.8/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sssd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/sssd.te 2010-07-30 14:06:53.000000000 -0400
@@ -31,6 +31,7 @@
allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
@@ -24982,7 +25735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
dbus_connect_system_bus(sssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.8.8/policy/modules/services/stunnel.te
--- nsaserefpolicy/policy/modules/services/stunnel.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/stunnel.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/stunnel.te 2010-07-30 14:06:53.000000000 -0400
@@ -46,8 +46,9 @@
manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
@@ -24996,7 +25749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stun
kernel_read_system_state(stunnel_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.8.8/policy/modules/services/sysstat.te
--- nsaserefpolicy/policy/modules/services/sysstat.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sysstat.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/sysstat.te 2010-07-30 14:06:53.000000000 -0400
@@ -18,8 +18,7 @@
# Local policy
#
@@ -25018,7 +25771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tcpd.if serefpolicy-3.8.8/policy/modules/services/tcpd.if
--- nsaserefpolicy/policy/modules/services/tcpd.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tcpd.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tcpd.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -25030,7 +25783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tcpd
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.8.8/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/telnet.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/telnet.te 2010-07-30 14:06:53.000000000 -0400
@@ -38,7 +38,6 @@
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
@@ -25050,7 +25803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
kerberos_keytab_template(telnetd, telnetd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.8.8/policy/modules/services/tftp.if
--- nsaserefpolicy/policy/modules/services/tftp.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tftp.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tftp.if 2010-07-30 14:06:53.000000000 -0400
@@ -16,6 +16,26 @@
')
@@ -25117,7 +25870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.8.8/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tftp.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tftp.te 2010-07-30 14:06:53.000000000 -0400
@@ -94,6 +94,10 @@
')
@@ -25131,7 +25884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.8.8/policy/modules/services/tgtd.te
--- nsaserefpolicy/policy/modules/services/tgtd.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tgtd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tgtd.te 2010-07-30 14:06:53.000000000 -0400
@@ -59,8 +59,12 @@
files_read_etc_files(tgtd_t)
@@ -25147,7 +25900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
+iscsi_manage_semaphores(tgtd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.8.8/policy/modules/services/tor.te
--- nsaserefpolicy/policy/modules/services/tor.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tor.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tor.te 2010-07-30 14:06:53.000000000 -0400
@@ -67,9 +67,10 @@
logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
@@ -25171,7 +25924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.
tunable_policy(`tor_bind_all_unreserved_ports', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.if serefpolicy-3.8.8/policy/modules/services/tuned.if
--- nsaserefpolicy/policy/modules/services/tuned.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tuned.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tuned.if 2010-07-30 14:06:53.000000000 -0400
@@ -81,7 +81,7 @@
## </summary>
## <param name="domain">
@@ -25183,7 +25936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.8.8/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tuned.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tuned.te 2010-07-30 14:06:53.000000000 -0400
@@ -24,6 +24,7 @@
#
@@ -25205,7 +25958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
sysnet_domtrans_ifconfig(tuned_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.8.8/policy/modules/services/ucspitcp.te
--- nsaserefpolicy/policy/modules/services/ucspitcp.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ucspitcp.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ucspitcp.te 2010-07-30 14:06:53.000000000 -0400
@@ -91,3 +91,8 @@
daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
daemontools_read_svc(ucspitcp_t)
@@ -25217,15 +25970,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,3 +1,3 @@
/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
-/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.8.8/policy/modules/services/uucp.te
+--- nsaserefpolicy/policy/modules/services/uucp.te 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/uucp.te 2010-08-04 13:17:33.000000000 -0400
+@@ -83,6 +83,7 @@
+ corenet_udp_sendrecv_generic_node(uucpd_t)
+ corenet_tcp_sendrecv_all_ports(uucpd_t)
+ corenet_udp_sendrecv_all_ports(uucpd_t)
++corenet_tcp_connect_ssh_port(uucpd_t)
+
+ dev_read_urand(uucpd_t)
+
+@@ -113,6 +114,10 @@
+ kerberos_use(uucpd_t)
+ ')
+
++optional_policy(`
++ ssh_exec(uucpd_t)
++')
++
+ ########################################
+ #
+ # UUX Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.8.8/policy/modules/services/varnishd.if
--- nsaserefpolicy/policy/modules/services/varnishd.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/varnishd.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/varnishd.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -25272,19 +26047,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn
## Read varnish logs.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.te serefpolicy-3.8.8/policy/modules/services/varnishd.te
--- nsaserefpolicy/policy/modules/services/varnishd.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/varnishd.te 2010-07-27 16:12:04.000000000 -0400
-@@ -50,7 +50,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/varnishd.te 2010-07-30 14:55:56.000000000 -0400
+@@ -50,7 +50,8 @@
# varnishd local policy
#
-allow varnishd_t self:capability { dac_override ipc_lock setuid setgid };
+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
++dontaudit varnishd_t self:capability sys_tty_config;
allow varnishd_t self:process signal;
allow varnishd_t self:fifo_file rw_fifo_file_perms;
allow varnishd_t self:tcp_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.8.8/policy/modules/services/vhostmd.if
--- nsaserefpolicy/policy/modules/services/vhostmd.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/vhostmd.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/vhostmd.if 2010-07-30 14:06:53.000000000 -0400
@@ -24,7 +24,7 @@
## </summary>
## <param name="domain">
@@ -25314,7 +26090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
vhostmd_initrc_domtrans($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.8.8/policy/modules/services/vhostmd.te
--- nsaserefpolicy/policy/modules/services/vhostmd.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/vhostmd.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/vhostmd.te 2010-08-10 07:10:27.000000000 -0400
@@ -44,6 +44,8 @@
corenet_tcp_connect_soundd_port(vhostmd_t)
@@ -25324,9 +26100,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
files_read_etc_files(vhostmd_t)
files_read_usr_files(vhostmd_t)
+@@ -66,6 +68,7 @@
+
+ optional_policy(`
+ virt_stream_connect(vhostmd_t)
++ virt_write_content(vhostmd_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.8.8/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/virt.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/virt.fc 2010-07-30 14:06:53.000000000 -0400
@@ -13,17 +13,18 @@
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -25351,7 +26135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.8.8/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/virt.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/virt.if 2010-08-10 07:08:50.000000000 -0400
@@ -21,6 +21,7 @@
type $1_t, virt_domain;
domain_type($1_t)
@@ -25417,7 +26201,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -308,6 +300,24 @@
+@@ -231,6 +223,24 @@
+
+ ########################################
+ ## <summary>
++## Allow domain to write virt image files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`virt_write_content',`
++ gen_require(`
++ type virt_content_t;
++ ')
++
++ allow $1 virt_content_t:file write_file_perms;
++')
++
++########################################
++## <summary>
+ ## Read virt PID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -308,6 +318,24 @@
########################################
## <summary>
@@ -25442,7 +26251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -433,15 +443,15 @@
+@@ -433,15 +461,15 @@
## </summary>
## </param>
#
@@ -25463,7 +26272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -516,3 +526,51 @@
+@@ -516,3 +544,51 @@
virt_manage_log($1)
')
@@ -25517,7 +26326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.8.8/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-08-10 05:23:35.000000000 -0400
@@ -4,6 +4,7 @@
#
# Declarations
@@ -25542,7 +26351,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -71,8 +72,12 @@
+@@ -65,20 +66,25 @@
+ # virt Image files
+ type virt_image_t; # customizable
+ virt_image(virt_image_t)
++files_mountpoint(virt_image_t)
+
+ # virt Image files
+ type virt_content_t; # customizable
virt_image(virt_content_t)
userdom_user_home_content(virt_content_t)
@@ -25555,7 +26371,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
type virt_var_run_t;
files_pid_file(virt_var_run_t)
-@@ -89,6 +94,11 @@
+
+ type virt_var_lib_t;
+-files_type(virt_var_lib_t)
++files_mountpoint(virt_var_lib_t)
+
+ type virtd_t;
+ type virtd_exec_t;
+@@ -89,6 +95,11 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -25567,7 +26390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -104,15 +114,12 @@
+@@ -104,15 +115,12 @@
allow svirt_t self:udp_socket create_socket_perms;
@@ -25584,7 +26407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -147,11 +154,15 @@
+@@ -147,11 +155,15 @@
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -25600,7 +26423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,6 +171,7 @@
+@@ -160,6 +172,7 @@
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -25608,7 +26431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_manage_dos_dirs(svirt_t)
fs_manage_dos_files(svirt_t)
')
-@@ -168,28 +180,39 @@
+@@ -168,28 +181,39 @@
xen_rw_image_files(svirt_t)
')
@@ -25651,7 +26474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,9 +223,15 @@
+@@ -200,9 +224,15 @@
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -25667,7 +26490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-@@ -220,6 +249,7 @@
+@@ -220,6 +250,7 @@
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -25675,7 +26498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -243,18 +273,25 @@
+@@ -243,18 +274,25 @@
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
@@ -25702,7 +26525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +299,17 @@
+@@ -262,6 +300,17 @@
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -25720,7 +26543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
mcs_process_set_categories(virtd_t)
-@@ -286,15 +334,22 @@
+@@ -286,15 +335,22 @@
logging_send_syslog_msg(virtd_t)
@@ -25743,7 +26566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +420,7 @@
+@@ -365,6 +421,7 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -25751,7 +26574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -402,6 +458,19 @@
+@@ -402,6 +459,19 @@
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -25771,7 +26594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +491,7 @@
+@@ -422,6 +492,7 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -25779,7 +26602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,6 +499,7 @@
+@@ -429,10 +500,12 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -25787,7 +26610,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
domain_use_interactive_fds(virt_domain)
-@@ -440,6 +511,11 @@
+ files_read_etc_files(virt_domain)
++files_read_mnt_symlinks(virt_domain)
+ files_read_usr_files(virt_domain)
+ files_read_var_files(virt_domain)
+ files_search_all(virt_domain)
+@@ -440,6 +513,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -25799,7 +26627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +533,121 @@
+@@ -457,8 +535,121 @@
')
optional_policy(`
@@ -25923,7 +26751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.8.8/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/w3c.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/w3c.te 2010-07-30 14:06:53.000000000 -0400
@@ -7,11 +7,18 @@
apache_content_template(w3c_validator)
@@ -25951,7 +26779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
+apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.8.8/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/xserver.fc 2010-07-30 14:06:53.000000000 -0400
@@ -2,13 +2,23 @@
# HOME_DIR
#
@@ -26075,7 +26903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.8.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/xserver.if 2010-07-30 14:06:53.000000000 -0400
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -26688,7 +27516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-05 16:01:15.000000000 -0400
@@ -35,6 +35,13 @@
## <desc>
@@ -27086,7 +27914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
-+logging_log_filetrans(xdm_t, xdm_log_t, file)
++logging_log_filetrans(xdm_t, xdm_log_t, { dir file })
+
manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
@@ -27209,7 +28037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -473,6 +643,11 @@
+@@ -473,6 +643,13 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -27218,10 +28046,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+userdom_manage_user_tmp_files(xdm_t)
+userdom_manage_user_tmp_sockets(xdm_t)
+userdom_manage_tmpfs_role(system_r, xdm_t)
++
++application_signal(xdm_t)
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,11 +679,17 @@
+@@ -504,11 +681,17 @@
')
optional_policy(`
@@ -27239,7 +28069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -516,12 +697,51 @@
+@@ -516,12 +699,51 @@
')
optional_policy(`
@@ -27291,7 +28121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -539,20 +759,63 @@
+@@ -539,20 +761,63 @@
')
optional_policy(`
@@ -27357,7 +28187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -561,7 +824,6 @@
+@@ -561,7 +826,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -27365,7 +28195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -572,6 +834,10 @@
+@@ -572,6 +836,10 @@
')
optional_policy(`
@@ -27376,7 +28206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -596,10 +862,9 @@
+@@ -596,10 +864,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -27388,7 +28218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -611,6 +876,18 @@
+@@ -611,6 +878,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -27407,7 +28237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -630,12 +907,19 @@
+@@ -630,12 +909,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -27429,7 +28259,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -669,7 +953,6 @@
+@@ -643,6 +929,7 @@
+ # Xorg wants to check if kernel is tainted
+ kernel_read_kernel_sysctls(xserver_t)
+ kernel_write_proc_files(xserver_t)
++kernel_request_load_module(xserver_t)
+
+ # Run helper programs in xserver_t.
+ corecmd_exec_bin(xserver_t)
+@@ -669,7 +956,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -27437,7 +28275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -679,9 +962,12 @@
+@@ -679,9 +965,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -27451,7 +28289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -696,8 +982,13 @@
+@@ -696,8 +985,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -27465,7 +28303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -719,11 +1010,14 @@
+@@ -719,11 +1013,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -27480,7 +28318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,12 +1069,28 @@
+@@ -775,12 +1072,28 @@
')
optional_policy(`
@@ -27510,7 +28348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -804,10 +1114,10 @@
+@@ -804,10 +1117,10 @@
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -27523,7 +28361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -828,6 +1138,13 @@
+@@ -828,6 +1141,13 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -27537,7 +28375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -843,11 +1160,14 @@
+@@ -843,11 +1163,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -27554,7 +28392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -993,3 +1313,33 @@
+@@ -993,3 +1316,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -27590,7 +28428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.te serefpolicy-3.8.8/policy/modules/services/zabbix.te
--- nsaserefpolicy/policy/modules/services/zabbix.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/zabbix.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/zabbix.te 2010-07-30 14:06:53.000000000 -0400
@@ -35,8 +35,9 @@
logging_log_filetrans(zabbix_t, zabbix_log_t, file)
@@ -27604,7 +28442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabb
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.fc serefpolicy-3.8.8/policy/modules/services/zarafa.fc
--- nsaserefpolicy/policy/modules/services/zarafa.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/zarafa.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/zarafa.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,27 @@
+
+/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
@@ -27635,7 +28473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zara
+/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.if serefpolicy-3.8.8/policy/modules/services/zarafa.if
--- nsaserefpolicy/policy/modules/services/zarafa.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/zarafa.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/zarafa.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,105 @@
+
+## <summary>policy for zarafa services</summary>
@@ -27744,7 +28582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zara
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.te serefpolicy-3.8.8/policy/modules/services/zarafa.te
--- nsaserefpolicy/policy/modules/services/zarafa.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/zarafa.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/zarafa.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,133 @@
+policy_module(zarafa, 1.0.0)
+
@@ -27881,7 +28719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zara
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.8.8/policy/modules/services/zebra.te
--- nsaserefpolicy/policy/modules/services/zebra.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/zebra.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/zebra.te 2010-07-30 14:06:53.000000000 -0400
@@ -61,9 +61,10 @@
allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
@@ -27894,9 +28732,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
kernel_read_system_state(zebra_t)
kernel_read_network_state(zebra_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.8.8/policy/modules/system/application.if
+--- nsaserefpolicy/policy/modules/system/application.if 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/application.if 2010-08-03 14:32:57.000000000 -0400
+@@ -130,3 +130,21 @@
+
+ allow $1 application_domain_type:process signull;
+ ')
++
++########################################
++## <summary>
++## Send signal to all application domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`application_signal',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ allow $1 application_domain_type:process signal;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.8.8/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/application.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/application.te 2010-07-30 14:06:53.000000000 -0400
@@ -6,6 +6,22 @@
# Executables to be run by user
attribute application_exec_type;
@@ -27922,7 +28785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
ssh_rw_stream_sockets(application_domain_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.8.8/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/authlogin.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/authlogin.fc 2010-07-30 14:06:53.000000000 -0400
@@ -10,6 +10,7 @@
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
@@ -27933,7 +28796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.8.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-10 11:41:52.000000000 -0400
@@ -91,9 +91,12 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -28057,7 +28920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.8.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/authlogin.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/authlogin.te 2010-07-30 14:06:53.000000000 -0400
@@ -8,6 +8,7 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -28089,7 +28952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.if serefpolicy-3.8.8/policy/modules/system/clock.if
--- nsaserefpolicy/policy/modules/system/clock.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/clock.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/clock.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -28119,7 +28982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.8.8/policy/modules/system/daemontools.if
--- nsaserefpolicy/policy/modules/system/daemontools.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/daemontools.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/daemontools.if 2010-07-30 14:06:53.000000000 -0400
@@ -71,6 +71,32 @@
domtrans_pattern($1, svc_start_exec_t, svc_start_t)
')
@@ -28202,7 +29065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.8.8/policy/modules/system/daemontools.te
--- nsaserefpolicy/policy/modules/system/daemontools.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/daemontools.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/daemontools.te 2010-07-30 14:06:53.000000000 -0400
@@ -38,7 +38,10 @@
# multilog creates /service/*/log/status
manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
@@ -28277,7 +29140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
daemontools_manage_svc(svc_start_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.8.8/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/fstools.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/fstools.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -28293,7 +29156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.8.8/policy/modules/system/fstools.if
--- nsaserefpolicy/policy/modules/system/fstools.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/fstools.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/fstools.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -28350,7 +29213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.8.8/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-07-30 14:06:53.000000000 -0400
@@ -117,6 +117,8 @@
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
@@ -28386,7 +29249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.8.8/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/getty.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/getty.te 2010-07-30 14:06:53.000000000 -0400
@@ -83,7 +83,7 @@
term_setattr_all_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t)
@@ -28398,7 +29261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.8.8/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/hostname.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/hostname.te 2010-07-30 14:06:53.000000000 -0400
@@ -26,15 +26,18 @@
dev_read_sysfs(hostname_t)
@@ -28431,7 +29294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.if serefpolicy-3.8.8/policy/modules/system/hotplug.if
--- nsaserefpolicy/policy/modules/system/hotplug.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/hotplug.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/hotplug.if 2010-07-30 14:06:53.000000000 -0400
@@ -139,7 +139,7 @@
## </summary>
## <param name="domain">
@@ -28443,7 +29306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
## <rolecap/>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.8.8/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/hotplug.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/hotplug.te 2010-07-30 14:06:53.000000000 -0400
@@ -23,7 +23,7 @@
#
@@ -28471,7 +29334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.8.8/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.fc 2010-07-30 14:06:53.000000000 -0400
@@ -24,7 +24,13 @@
#
# /sbin
@@ -28498,7 +29361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.if 2010-07-30 14:06:53.000000000 -0400
@@ -105,7 +105,11 @@
role system_r types $1;
@@ -28860,7 +29723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-10 05:23:35.000000000 -0400
@@ -16,6 +16,27 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -28972,7 +29835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,65 @@
+@@ -185,15 +216,66 @@
sysadm_shell_domtrans(init_t)
')
@@ -28994,7 +29857,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ dev_rw_autofs(init_t)
+ dev_manage_generic_dirs(init_t)
+ dev_read_generic_chr_files(init_t)
-+
++ dev_relabelfrom_generic_chr_files(init_t)
++ dev_relabelto_autofs_dev(init_t)
+ files_mounton_all_mountpoints(init_t)
+ files_manage_all_pids_dirs(init_t)
+
@@ -29038,7 +29902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
nscd_socket_use(init_t)
')
-@@ -211,7 +292,7 @@
+@@ -211,7 +293,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29047,7 +29911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -240,6 +321,7 @@
+@@ -240,6 +322,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29055,7 +29919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +339,22 @@
+@@ -257,11 +340,22 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -29078,7 +29942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_exec_all_executables(initrc_t)
-@@ -297,11 +390,13 @@
+@@ -297,11 +391,13 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -29092,7 +29956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -320,8 +415,10 @@
+@@ -320,8 +416,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29104,7 +29968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -337,6 +434,8 @@
+@@ -337,6 +435,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29113,7 +29977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_delete_cgroup_dirs(initrc_t)
fs_list_cgroup_dirs(initrc_t)
-@@ -350,6 +449,8 @@
+@@ -350,6 +450,8 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29122,7 +29986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -362,6 +463,7 @@
+@@ -362,6 +464,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -29130,7 +29994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -393,13 +495,14 @@
+@@ -393,13 +496,14 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -29146,7 +30010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -472,7 +575,7 @@
+@@ -472,7 +576,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29155,7 +30019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -518,6 +621,19 @@
+@@ -518,6 +622,19 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -29175,7 +30039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -525,10 +641,17 @@
+@@ -525,10 +642,17 @@
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -29193,7 +30057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -543,6 +666,35 @@
+@@ -543,6 +667,35 @@
')
')
@@ -29229,7 +30093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -555,6 +707,8 @@
+@@ -555,6 +708,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29238,7 +30102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -571,6 +725,7 @@
+@@ -571,6 +726,7 @@
optional_policy(`
cgroup_stream_connect(initrc_t)
@@ -29246,7 +30110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -583,6 +738,11 @@
+@@ -583,6 +739,11 @@
')
optional_policy(`
@@ -29258,7 +30122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -599,6 +759,7 @@
+@@ -599,6 +760,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29266,7 +30130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -700,7 +861,12 @@
+@@ -700,7 +862,12 @@
')
optional_policy(`
@@ -29279,7 +30143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -723,6 +889,10 @@
+@@ -723,6 +890,10 @@
')
optional_policy(`
@@ -29290,7 +30154,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -765,8 +935,6 @@
+@@ -744,6 +915,10 @@
+ ')
+
+ optional_policy(`
++ ricci_manage_lib_files(initrc_t)
++')
++
++optional_policy(`
+ fs_write_ramfs_sockets(initrc_t)
+ fs_search_ramfs(initrc_t)
+
+@@ -765,8 +940,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29299,7 +30174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -779,10 +947,12 @@
+@@ -779,10 +952,12 @@
squid_manage_logs(initrc_t)
')
@@ -29312,7 +30187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -804,11 +974,19 @@
+@@ -804,11 +979,19 @@
')
optional_policy(`
@@ -29333,7 +30208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -818,6 +996,25 @@
+@@ -818,6 +1001,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29359,7 +30234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -843,3 +1040,55 @@
+@@ -843,3 +1045,55 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29417,7 +30292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.8.8/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/ipsec.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/ipsec.fc 2010-08-03 13:29:20.000000000 -0400
@@ -25,6 +25,7 @@
/usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
@@ -29426,9 +30301,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+@@ -35,6 +36,8 @@
+ /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
+ /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+
++/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
++
+ /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
+
+ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.8.8/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/ipsec.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/ipsec.if 2010-08-11 07:44:10.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -29532,7 +30416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
## </summary>
## </param>
#
-@@ -273,3 +291,61 @@
+@@ -273,3 +291,81 @@
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -29594,9 +30478,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+ allow $1 ipsec_mgmt_t:process sigkill;
+')
+
++######################################
++## <summary>
++## Send and receive messages from
++## ipsec-mgmt over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipsec_mgmt_dbus_chat',`
++ gen_require(`
++ type ipsec_mgmt_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 ipsec_mgmt_t:dbus send_msg;
++ allow ipsec_mgmt_t $1:dbus send_msg;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.8/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/ipsec.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/ipsec.te 2010-08-10 11:57:19.000000000 -0400
@@ -72,7 +72,7 @@
#
@@ -29618,7 +30522,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
can_exec(ipsec_t, ipsec_mgmt_exec_t)
-@@ -166,6 +167,8 @@
+@@ -107,7 +108,7 @@
+ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+ allow ipsec_mgmt_t ipsec_t:fd use;
+ allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
+-dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
++allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+ allow ipsec_mgmt_t ipsec_t:process sigchld;
+
+ kernel_read_kernel_sysctls(ipsec_t)
+@@ -149,6 +150,7 @@
+ files_list_tmp(ipsec_t)
+ files_read_etc_files(ipsec_t)
+ files_read_usr_files(ipsec_t)
++files_dontaudit_search_home(ipsec_t)
+
+ fs_getattr_all_fs(ipsec_t)
+ fs_search_auto_mountpoints(ipsec_t)
+@@ -166,6 +168,8 @@
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@@ -29627,7 +30548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -184,8 +187,8 @@
+@@ -184,8 +188,8 @@
#
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
@@ -29638,7 +30559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -224,7 +227,6 @@
+@@ -224,7 +228,6 @@
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -29646,7 +30567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -243,6 +245,17 @@
+@@ -243,6 +246,17 @@
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -29664,7 +30585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -257,7 +270,7 @@
+@@ -257,7 +271,7 @@
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@@ -29673,7 +30594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -275,8 +288,11 @@
+@@ -275,8 +289,11 @@
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -29686,7 +30607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
-@@ -290,7 +306,9 @@
+@@ -290,7 +307,9 @@
seutil_dontaudit_search_config(ipsec_mgmt_t)
@@ -29696,7 +30617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
userdom_use_user_terminals(ipsec_mgmt_t)
-@@ -299,6 +317,23 @@
+@@ -299,6 +318,23 @@
')
optional_policy(`
@@ -29720,7 +30641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
nscd_socket_use(ipsec_mgmt_t)
')
-@@ -385,6 +420,8 @@
+@@ -385,6 +421,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -29729,7 +30650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -411,6 +448,7 @@
+@@ -411,6 +449,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -29737,14 +30658,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -422,3 +460,4 @@
+@@ -422,3 +461,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.8.8/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/iptables.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/iptables.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,12 +1,19 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -29769,7 +30690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.8.8/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/iptables.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/iptables.if 2010-08-05 15:53:11.000000000 -0400
@@ -17,6 +17,10 @@
corecmd_search_bin($1)
@@ -29801,7 +30722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.8.8/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/iptables.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/iptables.te 2010-07-30 14:06:53.000000000 -0400
@@ -13,9 +13,6 @@
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -29888,7 +30809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.8.8/policy/modules/system/iscsi.if
--- nsaserefpolicy/policy/modules/system/iscsi.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/iscsi.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/iscsi.if 2010-07-30 14:06:53.000000000 -0400
@@ -24,7 +24,7 @@
## </summary>
## <param name="domain">
@@ -29922,7 +30843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.8.8/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/iscsi.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/iscsi.te 2010-07-30 14:06:53.000000000 -0400
@@ -76,6 +76,8 @@
dev_rw_sysfs(iscsid_t)
@@ -29934,7 +30855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.if serefpolicy-3.8.8/policy/modules/system/kdump.if
--- nsaserefpolicy/policy/modules/system/kdump.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/kdump.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/kdump.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -29955,18 +30876,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.8.8/policy/modules/system/kdump.te
--- nsaserefpolicy/policy/modules/system/kdump.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/kdump.te 2010-07-27 16:12:04.000000000 -0400
-@@ -29,6 +29,7 @@
++++ serefpolicy-3.8.8/policy/modules/system/kdump.te 2010-08-04 13:52:39.000000000 -0400
+@@ -29,6 +29,8 @@
kernel_read_system_state(kdump_t)
kernel_read_core_if(kdump_t)
+kernel_read_debugfs(kdump_t)
++kernel_request_load_module(kdump_t)
dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.8.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/libraries.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/libraries.fc 2010-07-30 14:06:53.000000000 -0400
@@ -129,15 +129,13 @@
/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30180,7 +31102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.8.8/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/libraries.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/libraries.te 2010-07-30 14:06:53.000000000 -0400
@@ -61,7 +61,7 @@
manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
@@ -30219,14 +31141,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
# leaked fds from portage
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.fc serefpolicy-3.8.8/policy/modules/system/locallogin.fc
--- nsaserefpolicy/policy/modules/system/locallogin.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/locallogin.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/locallogin.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,2 +1,3 @@
/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
+/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.if serefpolicy-3.8.8/policy/modules/system/locallogin.if
--- nsaserefpolicy/policy/modules/system/locallogin.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/locallogin.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/locallogin.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -30247,7 +31169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.8.8/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/locallogin.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/locallogin.te 2010-07-30 14:06:53.000000000 -0400
@@ -32,9 +32,8 @@
# Local login local policy
#
@@ -30359,7 +31281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.8.8/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/logging.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/logging.fc 2010-07-30 14:06:53.000000000 -0400
@@ -17,6 +17,10 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -30400,7 +31322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.8.8/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/logging.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/logging.if 2010-07-30 14:06:53.000000000 -0400
@@ -545,6 +545,25 @@
########################################
@@ -30474,7 +31396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/logging.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/logging.te 2010-07-30 14:06:53.000000000 -0400
@@ -60,6 +60,7 @@
type syslogd_t;
type syslogd_exec_t;
@@ -30582,7 +31504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.8.8/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/lvm.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/lvm.fc 2010-07-30 14:06:53.000000000 -0400
@@ -28,10 +28,12 @@
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -30598,7 +31520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.8.8/policy/modules/system/lvm.if
--- nsaserefpolicy/policy/modules/system/lvm.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/lvm.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/lvm.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -30637,7 +31559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if
## <rolecap/>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.8.8/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/lvm.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/lvm.te 2010-07-30 14:06:53.000000000 -0400
@@ -141,6 +141,11 @@
')
@@ -30724,7 +31646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.8.8/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/miscfiles.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/miscfiles.fc 2010-07-30 14:06:53.000000000 -0400
@@ -75,13 +75,11 @@
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -30743,7 +31665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
/var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.8.8/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/miscfiles.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/miscfiles.if 2010-07-30 14:06:53.000000000 -0400
@@ -305,9 +305,6 @@
allow $1 locale_t:dir list_dir_perms;
read_files_pattern($1, locale_t, locale_t)
@@ -30756,7 +31678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.8.8/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/modutils.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/modutils.if 2010-07-30 14:06:53.000000000 -0400
@@ -39,6 +39,26 @@
########################################
@@ -30786,7 +31708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.8.8/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/modutils.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/modutils.te 2010-07-30 14:06:53.000000000 -0400
@@ -18,6 +18,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@@ -30882,7 +31804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.8.8/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/mount.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/mount.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,4 +1,10 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -30897,7 +31819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.8.8/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/mount.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/mount.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -31130,7 +32052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-07-30 14:06:53.000000000 -0400
@@ -17,8 +17,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -31232,7 +32154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -79,15 +122,19 @@
+@@ -79,15 +122,20 @@
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
@@ -31247,6 +32169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
-fs_list_auto_mountpoints(mount_t)
+fs_rw_anon_inodefs_files(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
++fs_rw_nfsd_fs(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
fs_read_tmpfs_symlinks(mount_t)
+fs_read_fusefs_files(mount_t)
@@ -31255,7 +32178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
-@@ -98,6 +145,7 @@
+@@ -98,6 +146,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -31263,7 +32186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
term_use_all_terms(mount_t)
-@@ -106,6 +154,8 @@
+@@ -106,6 +155,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -31272,7 +32195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
logging_send_syslog_msg(mount_t)
-@@ -116,6 +166,12 @@
+@@ -116,6 +167,12 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -31285,7 +32208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`distro_redhat',`
optional_policy(`
-@@ -131,10 +187,17 @@
+@@ -131,10 +188,17 @@
')
')
@@ -31303,7 +32226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -164,6 +227,8 @@
+@@ -164,6 +228,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -31312,7 +32235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -171,6 +236,25 @@
+@@ -171,6 +237,25 @@
')
optional_policy(`
@@ -31338,7 +32261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -178,6 +262,11 @@
+@@ -178,6 +263,11 @@
')
')
@@ -31350,7 +32273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -185,6 +274,19 @@
+@@ -185,6 +275,19 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -31370,7 +32293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -193,6 +295,42 @@
+@@ -193,6 +296,42 @@
#
optional_policy(`
@@ -31416,7 +32339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+userdom_use_user_terminals(showmount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/pcmcia.if serefpolicy-3.8.8/policy/modules/system/pcmcia.if
--- nsaserefpolicy/policy/modules/system/pcmcia.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/pcmcia.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/pcmcia.if 2010-07-30 14:06:53.000000000 -0400
@@ -22,7 +22,7 @@
## </summary>
## <param name="domain">
@@ -31446,7 +32369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/pcmcia
## <param name="role">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.if serefpolicy-3.8.8/policy/modules/system/raid.if
--- nsaserefpolicy/policy/modules/system/raid.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/raid.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/raid.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -31467,7 +32390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.i
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.8.8/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/raid.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/raid.te 2010-07-30 14:06:53.000000000 -0400
@@ -30,8 +30,9 @@
allow mdadm_t mdadm_map_t:file manage_file_perms;
dev_filetrans(mdadm_t, mdadm_map_t, file)
@@ -31489,7 +32412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
fs_dontaudit_list_tmpfs(mdadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc 2010-07-30 14:06:53.000000000 -0400
@@ -6,13 +6,13 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
@@ -31531,7 +32454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.8.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.if 2010-07-30 14:06:53.000000000 -0400
@@ -361,6 +361,27 @@
########################################
@@ -31910,7 +32833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.8.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-07-30 14:06:53.000000000 -0400
@@ -22,6 +22,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -32296,7 +33219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.8.8/policy/modules/system/setrans.if
--- nsaserefpolicy/policy/modules/system/setrans.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/setrans.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/setrans.if 2010-07-30 14:06:53.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -32308,7 +33231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.8.8/policy/modules/system/setrans.te
--- nsaserefpolicy/policy/modules/system/setrans.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/setrans.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/setrans.te 2010-07-30 14:06:53.000000000 -0400
@@ -12,6 +12,7 @@
type setrans_t;
type setrans_exec_t;
@@ -32331,13 +33254,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran
kernel_read_proc_symlinks(setrans_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.fc serefpolicy-3.8.8/policy/modules/system/sosreport.fc
--- nsaserefpolicy/policy/modules/system/sosreport.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/system/sosreport.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sosreport.fc 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.if serefpolicy-3.8.8/policy/modules/system/sosreport.if
--- nsaserefpolicy/policy/modules/system/sosreport.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/system/sosreport.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sosreport.if 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,131 @@
+
+## <summary>policy for sosreport</summary>
@@ -32472,7 +33395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.8.8/policy/modules/system/sosreport.te
--- nsaserefpolicy/policy/modules/system/sosreport.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/system/sosreport.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sosreport.te 2010-07-30 14:06:53.000000000 -0400
@@ -0,0 +1,154 @@
+policy_module(sosreport,1.0.0)
+
@@ -32630,7 +33553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc 2010-07-30 14:06:53.000000000 -0400
@@ -64,3 +64,5 @@
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
@@ -32639,7 +33562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.8.8/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.if 2010-08-10 05:23:35.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -32838,7 +33761,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
## </summary>
## </param>
#
-@@ -453,7 +524,7 @@
+@@ -444,6 +515,7 @@
+ type dhcpc_var_run_t;
+ ')
+
++ files_rw_pid_dirs($1)
+ allow $1 dhcpc_var_run_t:file unlink;
+ ')
+
+@@ -453,7 +525,7 @@
## </summary>
## <param name="domain">
## <summary>
@@ -32847,7 +33778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
## </summary>
## </param>
#
-@@ -464,6 +535,10 @@
+@@ -464,6 +536,10 @@
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -32858,7 +33789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-@@ -474,7 +549,7 @@
+@@ -474,7 +550,7 @@
## </summary>
## <param name="domain">
## <summary>
@@ -32867,7 +33798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
## </summary>
## </param>
## <param name="role">
-@@ -534,6 +609,25 @@
+@@ -534,6 +610,25 @@
########################################
## <summary>
@@ -32893,7 +33824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -677,7 +771,10 @@
+@@ -677,7 +772,10 @@
corenet_tcp_connect_ldap_port($1)
corenet_sendrecv_ldap_client_packets($1)
@@ -32905,7 +33836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-@@ -709,5 +806,52 @@
+@@ -709,5 +807,52 @@
corenet_tcp_connect_portmap_port($1)
corenet_sendrecv_portmap_client_packets($1)
@@ -32961,7 +33892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.8.8/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te 2010-07-30 14:45:35.000000000 -0400
@@ -5,6 +5,13 @@
# Declarations
#
@@ -33085,7 +34016,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -327,6 +364,8 @@
+@@ -314,6 +351,10 @@
+ ')
+ ')
+
++optional_policy(`
++ brctl_domtrans(ifconfig_t)
++')
++
+ ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ dev_dontaudit_rw_cardmgr(ifconfig_t)
+@@ -327,6 +368,8 @@
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
@@ -33094,7 +34036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -334,6 +373,10 @@
+@@ -334,6 +377,10 @@
')
optional_policy(`
@@ -33105,7 +34047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
nis_use_ypbind(ifconfig_t)
')
-@@ -355,3 +398,9 @@
+@@ -355,3 +402,9 @@
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -33117,7 +34059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.8.8/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/udev.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/udev.fc 2010-07-30 14:06:53.000000000 -0400
@@ -22,3 +22,4 @@
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -33125,7 +34067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.f
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.8.8/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/udev.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/udev.if 2010-07-30 14:06:53.000000000 -0400
@@ -24,7 +24,7 @@
## </summary>
## <param name="domain">
@@ -33163,7 +34105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.8.8/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/udev.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/udev.te 2010-07-30 14:06:53.000000000 -0400
@@ -52,6 +52,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -33230,7 +34172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.8.8/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/unconfined.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/unconfined.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,15 +1 @@
# Add programs here which should not be confined by SELinux
-# e.g.:
@@ -33249,7 +34191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.8.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/unconfined.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/unconfined.if 2010-07-30 14:06:53.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -33296,7 +34238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+ ubac_process_exempt($1)
+
+ tunable_policy(`mmap_low_allowed',`
-+ domain_mmap_low($1)
++ allow $1 self:memprotect mmap_zero;
+ ')
+
tunable_policy(`allow_execheap',`
@@ -33746,7 +34688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.8.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/unconfined.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/unconfined.te 2010-07-30 14:06:53.000000000 -0400
@@ -4,227 +4,5 @@
#
# Declarations
@@ -33978,7 +34920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.8.8/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,4 +1,14 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
@@ -33997,7 +34939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-07-30 14:06:53.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -35565,7 +36507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3128,3 +3466,779 @@
+@@ -3128,3 +3466,854 @@
allow $1 userdomain:dbus send_msg;
')
@@ -36345,9 +37287,84 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ dontaudit $1 user_tmp_t:dir search_dir_perms;
+')
++
++########################################
++## <summary>
++## Execute a file in a user home directory
++## in the specified domain.
++## </summary>
++## <desc>
++## <p>
++## Execute a file in a user home directory
++## in the specified domain.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`userdom_domtrans_user_home',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ read_lnk_files_pattern($1, user_home_t, user_home_t)
++ domain_transition_pattern($1, user_home_t, $2)
++ type_transition $1 user_home_t:process $2;
++')
++
++########################################
++## <summary>
++## Execute a file in a user tmp directory
++## in the specified domain.
++## </summary>
++## <desc>
++## <p>
++## Execute a file in a user tmp directory
++## in the specified domain.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`userdom_domtrans_user_tmp',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ domain_transition_pattern($1, user_tmp_t, $2)
++ type_transition $1 user_tmp_t:process $2;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.8.8/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.te 2010-07-30 14:06:53.000000000 -0400
@@ -43,6 +43,13 @@
## <desc>
@@ -36428,7 +37445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+dontaudit unpriv_userdomain self:dir setattr;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.8.8/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/xen.fc 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/xen.fc 2010-07-30 14:06:53.000000000 -0400
@@ -1,7 +1,5 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
@@ -36439,7 +37456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc
ifdef(`distro_debian',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.8.8/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/xen.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/xen.if 2010-07-30 14:06:53.000000000 -0400
@@ -87,6 +87,26 @@
## </summary>
## </param>
@@ -36480,7 +37497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.8.8/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/xen.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/xen.te 2010-07-30 14:06:53.000000000 -0400
@@ -4,6 +4,7 @@
#
# Declarations
@@ -36638,7 +37655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
files_search_mnt(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.8.8/policy/support/misc_patterns.spt
--- nsaserefpolicy/policy/support/misc_patterns.spt 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.8/policy/support/misc_patterns.spt 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/support/misc_patterns.spt 2010-07-30 14:06:53.000000000 -0400
@@ -15,7 +15,7 @@
domain_transition_pattern($1,$2,$3)
@@ -36664,7 +37681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.8.8/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/support/obj_perm_sets.spt 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/support/obj_perm_sets.spt 2010-07-30 14:06:53.000000000 -0400
@@ -28,7 +28,7 @@
#
# All socket classes.
@@ -36776,7 +37793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.8.8/policy/users
--- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.8.8/policy/users 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/users 2010-07-30 14:06:53.000000000 -0400
@@ -15,7 +15,7 @@
# and a user process should never be assigned the system user
# identity.
@@ -36812,7 +37829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.8
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.8.8/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/support/Makefile.devel 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/support/Makefile.devel 2010-07-30 14:06:53.000000000 -0400
@@ -68,8 +68,8 @@
# default MLS/MCS sensitivity and category settings.
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 92f9e0a..f45af40 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 8%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -331,7 +331,7 @@ if [ $1 -eq 1 ]; then
%loadpolicy targeted $packages
restorecon -R /root /var/log /var/run /var/lib 2> /dev/null
else
- semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
+ semodule -n -s targeted -r pyzor -r razor -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
%loadpolicy targeted $packages
%relabel targeted
fi
@@ -450,7 +450,7 @@ SELinux Reference policy mls base module.
%saveFileContext mls
%post mls
-semodule -n -s mls -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null
+semodule -n -s mls -r pyzor -r razor -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null
packages=`cat /usr/share/selinux/mls/modules.lst`
%loadpolicy mls $packages
@@ -469,6 +469,23 @@ exit 0
%endif
%changelog
+* Tue Aug 10 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-12
+- Fix devicekit_power bug
+- Allow policykit_auth_t more access.
+
+* Thu Aug 5 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-11
+- Fix nis calls to allow bind to ports 512-1024
+- Fix smartmon
+
+* Wed Aug 4 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-10
+- Allow pcscd to read sysfs
+- systemd fixes
+- Fix wine_mmap_zero_ignore boolean
+
+* Tue Aug 3 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-9
+- Apply Miroslav munin patch
+- Turn back on allow_execmem and allow_execmod booleans
+
* Tue Jul 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-8
- Merge in fixes from dgrift repository